Olivia
Online
あざらし🦭
@shqld
人間は考えるあざらしである。たまにウェブ開発をします。 (icon: @tomo_e さん)
Tokyo
Joined February 2018
1K Following
1.1K Followers
13.5K Posts
すごすぎる
Dear frontend devs and UI designers. I bring you Liquid DOM, a complete and faithful implementation of Liquid Glass on the Web.
- Shape morphing
- All properties animatable
- Dynamic refraction and reflection
- Adaptive tint
- Adaptive specular highlight
- Dispersion
- Full html integration
- Super fast layout engine that works across Canvas and html
- Pointer event handling
- Framework and renderer-agnostic low level API
- High level React API
- Ootb @threejs and r3f integration
And lots more.
Read on for implementation details and demos.
面白い
Here is one thing that sucks in Rust and where Zig shines: memory allocation.
Let me explain: we take memory allocation for granted, and the language APIs make it look infallible, but it isn’t. Take this:
let mut v = Vec::new();
v.push(my_data);
The push could fail if the system could not allocate the required memory. In Rust, this straight up aborts/panics. You cannot handle this as an error.
Second, you cannot control how memory is allocated, like on the heap, arena, or your custom allocator. All data structures use one global allocator. The current Rust APIs suck.
Rust does have an allocator API, but it has been in nightly for many years. Like in the above example, it becomes try_push.
Whereas, all of this is first class in Zig. Every collection takes an allocator, and you can pass around the one you want. They return errors which you can handle.
In a database, you want to control every aspect of memory. If there is no more free space left to allocate, we want that to become a normal error that can be returned to the caller and handled gracefully. If the database aborts/panics because an allocation failed, that is terrible - one query or one bad allocation path can take down the entire process and affect all connected clients.
In Turso, we use a global allocator, and now we are working towards changing that (PR in next tweet). However, we need to add so much boilerplate code, redefine all data structures, and replace existing usage everywhere. It just sucks.
This would be so sweet in Zig. A great example is TigerBeetle's codebase.
トークン調達は、人員計画とほぼ同等の重要度を持つようになります。タスクに対して適切なモデルが選ばれているか?ROIは?今後どのような領域にトークンを使っていくのか?…etc 現在はここがほとんど測られていませんが、トークンコストが大きな費用を占めるようになり、トークンマネジメントがタレントマネジメント並みに重要になっていくと思います。
RDBでできるようなことには普通そもそもグラフDBを持ち出さない。グラフDBを持ち出すユースケースは必ず関係性探索のマルチホップでクエリが複雑化するか、パフォーマンスが極端に劣化するケース。製造業でプロセスとBOMの変更影響分析とかは典型例。
Who to follow
Sakito 
@__sakito__
Product Designer, Design Technologist, Front-end Manager, and Design Department Leader at Cybozu. BlueSky 🦋 https://t.co/bLVCwY3vcK
Naturalclar(Jesse K.)
@natural_clar
An American in Tokyo.
Developer at AnotherBall.
React Native Developer
♥️OSS.
Jazz Bassist.
Member of @ReactNativeComm.
Staff for @TSConfJP and @JSConfJP
Yosuke Furukawa
@yosuke_furukawa
ソフトウェアエンジニア/Node.js/Japan Node.js Association 代表理事/Chrome Advisory Board/TechFeed公認エキスパート
言語を持たないが知能は高い動物(類人猿、イルカ、…)は果たして思考しているのだろうか
🆕 The Popover API is Baseline, no JavaScript needed
Tooltips, dropdowns, and menus with just HTML attributes.
⋅ popover attribute on any element
⋅ popovertarget to wire the trigger
⋅ Accessible by default, no ARIA hacks
Learn more 👇
https://t.co/fDxvVleL0Q
Usage limits are up, effective today we're:
1) Doubling Claude Code's 5-hour limits for Pro, Max, Team and seat-based Enterprise plans
2) Removing peak hours limit reduction on Claude Code for Pro and Max plans
3) Substantially raising our API rate limits for Opus models
Claude Code の WebFetch ツールのヤバさにびっくりして記事にしました。defuddle はいいよ
https://t.co/eskw9VgK7U
‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP.
The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years.
Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box.
The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root.
Result: the next time anyone runs that program, it lets the attacker in as root.
What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk.
Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants.
The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today.
This vulnerability affects the following:
🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root
🔴 Kubernetes and container clusters: one compromised pod escapes to the host
🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner
🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root
Timeline:
🔴 March 23, 2026: reported to the Linux kernel security team
🔴 April 1: patch committed to mainline (commit a664bf3d603d)
🔴 April 22: CVE assigned
🔴 April 29: public disclosure
Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...
We've shipped more than a thousand versions of Zed, but all of them began with zero. Today, that changes.
https://t.co/AJ0crNOFhU
Announcing Cloud Run Instances:
A New Primitive to manage individual Cloud Run instances instead of through predefined resource types, starting in seconds.
Designed for asynchronous, long running, background agents needing isolated, on-demand compute.
Priced at $5.70 / month for 1 CPU (shared) + 1 GiB
Announcing Cloud Run sandboxes:
Secure on-the-fly code execution: Spin up ephemeral, isolated sandboxes from within Cloud Run resources.
Safely execute agent-generated code, scripts, or Chromium.
@pnpmjs Got it, thank you for clarifying. By the way, I’ve been eagerly waiting for GVS for regular deps too, mainly for sharing the store across worktrees. How do you think this issue is looking? (I understand it’s not really a pnpm issue, though…)
https://t.co/cr3K9Zk2U7
pnpm@10に上げるときにGlobal Virtural Storeオンにしてみたらtscとか諸々のライブラリが依存パッケージを正しく解決できず泣く泣くオフに戻したんだけど、これは解決したのだろうか。気になる👀
https://t.co/cr3K9Zk2U7
7/ 🔗 Global virtual store by default
All runtime dependencies are linked from a single global virtual store at `{storeDir}/links/`. Config dependencies too. Shared across projects sharing a store — no redundant fetches or imports.
And ~95% of packages survive Node.js upgrades without re-import (engine-name excluded from hashes for non-building packages).
@pnpmjs I thought “runtime dependency packages” meant deps needed at runtime (vs devDependencies), but pnpm means the runtimes themselves like Node.js?
1/ 🚀 pnpm v11 is almost here — and it's the biggest release in years. Supply-chain protection by default, a SQLite-backed store, native publish flow, an overhauled config model, and a pile of new commands. Here's what's shipping 🧵
pnpm正直全然保守できていないと思う。特にドキュメント。まず記載が少ないし怪しい挙動が多すぎてバグかどうかも判断つきづらい。deployは昔からそうだし直近で言うとoverrideも。あとpackage.jsonかworkspace.yamlどっちに書けば良いかも分からずLLMも困りがち(実際の挙動で確認するしかない)
pnpm、これ本当に保守できるのかと不安になるくらい色々な機能ある
HTMLに<script type="speculationrules">タグを仕込めば、ウェブサイト内の次のページを先読みできます。
aタグをホバーしたら、前もってリンク先を読み込ませ、クリック時に即遷移が可能に。
ユーザー体験が向上する手段として効果的。
解説記事→ https://t.co/oOPAMHmtpL
複数人でclaudeのプランをレビューできる機能とかあったりしないかな
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers