The Git Times

Google's MediaPipe project continues to evolve its graph-based framework for live and streaming media with the v0.10.33 release. The update focuses on practical framework and calculator improvements rather than flashy new features.

Core changes include a new C API for the Holistic Landmarker, enabling tighter integration in custom C++ applications. Developers gain Nearest Neighbor interpolation in WarpAffineCalculator, a Tensor DebugString() method that outputs numpy-style formatting, and an AddMultiStreamCallback variant accepting packet maps. The release also adds ROI validation in ImageToTensorOpenCvConverter and optional RESET support for SpectrogramCalculator.

Build configuration received targeted fixes: mediapipe/gpu:gl_context is now marked incompatible on Windows, with GPU acceleration automatically disabled to prevent platform errors. The CPU-only LLM inference engine has been removed.

Platform-specific updates restore the Holistic Landmarker to Python bindings with int2 quantization serialization support. JavaScript gains tests for the full-range face detector model, while the vision tasks add FULL_RANGE face detection.

Now six years old, MediaPipe remains a modular pipeline system built in C++. It lets developers assemble calculators into directed graphs for computer vision, video processing, audio analysis and on-device inference. Solutions deploy consistently to Android, iOS, web, desktop and edge devices. MediaPipe Tasks provide the cross-platform APIs, Model Maker handles data-driven customization, and MediaPipe Studio supplies browser-based benchmarking.

These incremental changes reduce friction for production deployments where latency and privacy matter.

Supabase has released the Multigres Kubernetes operator under an open source license. The operator supplies direct pod management, zero-downtime rolling upgrades, pgBackRest point-in-time recovery backups, and OpenTelemetry tracing for production Postgres workloads.

These capabilities address operational friction that teams encounter when running database clusters at scale. By open-sourcing the controller, Supabase continues its practice of releasing the infrastructure components it already uses internally.

The operator integrates with Supabase's broader Postgres platform, which layers authentication, auto-generated REST and GraphQL APIs, realtime subscriptions over WebSockets, Edge Functions, file storage, and pgvector-based embeddings on a single dedicated database. Recent platform changes extend GitHub integration to every plan, enabling main-branch CI/CD migrations without additional branching logic. Supabase has also joined the Stripe Projects developer preview as a co-design partner, allowing CLI-driven provisioning that writes credentials directly to .env files.

For self-hosting users the operator simplifies reliable deployment while preserving Postgres's 30-year track record of stability. Teams can now run the same stack locally, on-premises, or in cloud Kubernetes environments without proprietary orchestration layers. The release reflects Supabase's consistent focus on interchangeable, enterprise-grade open source tooling rather than closed alternatives.

Use cases remain practical: operators managing fleet-wide Postgres upgrades, AI teams indexing embeddings at scale, and product engineers shipping realtime features without managing separate pub/sub infrastructure.

PyTorch 2.11.0 introduces targeted upgrades that address the demands of large-scale model training on current-generation hardware.

The most significant addition is support for differentiable collectives in distributed training. This allows gradients to flow through communication operations, enabling entirely new classes of end-to-end differentiable parallel algorithms that were previously difficult to implement.

FlexAttention now ships with a FlashAttention-4 backend tuned for NVIDIA Hopper and Blackwell GPUs. The change delivers measurable speedups for transformer workloads running on the latest accelerator architectures. Apple Silicon users receive comprehensive operator coverage on the MPS backend, widening the range of models that run efficiently without code changes.

Additional improvements include RNN and LSTM GPU export support together with XPU Graph capabilities. These enhancements streamline deployment pipelines across specialized runtimes.

A breaking change accompanies the new features: Volta (SM 7.0) GPU support has been removed from CUDA 12.8 and 12.9 binary builds. Teams still operating legacy NVIDIA hardware must either stay on earlier PyTorch releases or migrate to newer accelerators.

The updates reflect the project's continuing focus on performance at scale while maintaining its signature dynamic autograd system and Python-first design. Binaries and source builds are available through the standard channels.

**

The jenkinsci/dingtalk-plugin has shipped version 2.8.0, delivering targeted maintenance to a tool that has connected Jenkins to DingTalk since 2016.

The plugin lets Jenkins jobs send build status, test results, and pipeline messages to DingTalk group chats and individual users through the platform's robot API. It supports formatted markdown cards, action buttons, and at-mentions, giving development teams working inside Alibaba's collaboration suite immediate visibility into CI/CD events.

Contributor BobDu drove the most substantive changes. The release eliminates the project's custom HTTP SDK, replacing it with Jenkins-native networking components. This cuts maintenance burden and removes an unnecessary attack surface. The team also added explicit DingTalk permission handling, stripped out a redundant color utility class, and merged four dependency updates to the Jenkins BOM and plugin parent. These align the plugin with Jenkins 2.479.x.

For enterprises across Greater China that standardize on DingTalk for internal communication, the update preserves existing webhook configuration while improving long-term reliability. Administrators can still define global robot credentials or per-job webhooks with keyword validation.

After nearly a decade of service, the project continues to follow the Jenkins model's pattern of steady, unspectacular refinement rather than feature churn. The 2.8.0 changes make the plugin easier for future contributors to maintain without altering its core behavior for users.

**

Autoware 1.7.1 introduces a deliberate change in dependency management, replacing apt-based Rust installation with rustup. The update corrects version skew issues that previously constrained builds and gives developers precise control over Rust toolchains required by performance-critical modules.

This Ansible modification carries breaking implications for existing deployment playbooks, forcing teams to adjust their infrastructure-as-code. Alongside it comes a backwards-compatible bump of autoware_lanelet2_extension to 0.12.0, improving HD map parsing used for centimeter-accurate localization.

The meta-repository continues to orchestrate a deliberately split architecture. autoware_core maintains stable, production-grade ROS 2 packages, while autoware_universe serves as an innovation sandbox for experimental perception and planning nodes. Shared GitHub Actions workflows and a central documentation repository reduce duplication across the foundation’s growing family of repos.

For an ecosystem now a decade old, these incremental toolchain upgrades matter. They keep Autoware current with modern Rust practices without destabilizing the full autonomous stack—from object detection through route planning and vehicle control—that hundreds of researchers and companies rely on daily.

The release demonstrates disciplined maintenance: small, focused changes that sustain long-term viability of open autonomous driving infrastructure.

SOPS remains the standard editor for encrypted configuration. Version 3.12.2, released this week, tightens its own supply chain by signing release artifacts with Cosign and GitHub OIDC. Users can now cryptographically confirm that the binary they install matches the one built by the project, addressing rising concerns over compromised download links.

Written in Go, the tool transparently encrypts and decrypts YAML, JSON, ENV, INI, and BINARY files. It supports AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, age, and PGP. Operators set SOPS_KMS_ARN (or equivalent variables) to one or more master keys, with the project still recommending keys in at least two regions for resilience.

Installation follows a three-step process: download the platform binary, fetch the accompanying checksums.txt, .pem, and .sig files, then run cosign verify-blob against the certificate identity tied to the getsops organization. Only after validation does the binary move into $PATH.

A decade after its first commit, SOPS continues to matter because it keeps secrets next to infrastructure code without requiring a central vault. The new verification steps add negligible friction while removing a common attack vector. For teams practicing GitOps or managing secrets across heterogeneous clouds, the update reinforces trust in a tool that has quietly powered secure deployments since 2015.

(178 words)

Nuclei v3.8.0 addresses two vulnerabilities in its JavaScript and expressions subsystems that could have been exploited by malicious templates. The release enforces the allow-local-file-access flag inside JS require calls and ensures only template-authored expressions are evaluated, closing the attack surface documented in GHSA-29rg-wmcw-hpf4 and GHSA-jm34-66cf-qpvr.

Additional changes correct HTTP annotation handling in unsafe mode, isolate cache keys by scheme and host, improve variable propagation through encoding functions, and fix concurrent map writes during multipart fuzzing. WebSocket path merging, JS watchdog behavior, and context cancellation in the Goja runtime have also been tightened.

Written in Go, the scanner continues to rely on a YAML-based DSL that lets contributors encode precise reproduction steps for emerging vulnerabilities. By simulating real exploit sequences rather than signature matching, it maintains a low false-positive rate across HTTP, DNS, TCP, SSL and cloud configuration checks. Parallel request clustering and SDK rate-limit respect make it suitable for both one-off assessments and continuous integration pipelines.

The updates reflect sustained community input on the engine’s own security, ensuring the tool used to hunt vulnerabilities does not introduce new ones.

Eleven years after its creation, infoslack/awesome-web-hacking remains a practical starting point for developers and security practitioners seeking structured web application security knowledge. A recent push added updated laboratory environments and contemporary course links, responding to persistent OWASP Top 10 risks and evolving attacker techniques.

The repository organizes resources into focused sections. Books recommends core titles including The Web Application Hacker’s Handbook, Hacking Exposed Web Applications, and The Tangled Web. These texts cover flaw discovery, SQL injection defenses, XSS mitigation, and browser-based attacks.

Tools and Cheat Sheets point to scanners, Metasploit modules, and quick-reference payloads. The Docker and Labs categories supply preconfigured vulnerable applications that can be spun up locally, eliminating setup friction for safe experimentation. Online Hacking Demonstration Sites offer live targets for immediate practice.

A dedicated Security Ruby on Rails section addresses framework-specific pitfalls, while SSL resources tackle certificate and transport-layer misconfigurations. Vulnerabilities and Courses sections link to mitigation patterns and structured training that align with current industry standards.

The project’s value lies in curation. Instead of hunting across scattered blogs and vendor sites, teams consult one maintained index that evolves through community pull requests. In an environment of increasing automated web attacks, it helps both builders and pentesters close knowledge gaps efficiently.

**

Protocol Buffers, Google's language-neutral mechanism for serializing structured data, released version 34.1 with practical updates for teams using modern build infrastructure.

The most immediate change is official support for Bazel 9.x. Users can now declare the dependency in MODULE.bazel with a simple bazel_dep(name = "protobuf", version = "34.1") statement. The protocopt flag has been moved out of the cc directory so it is available to all language rules. Legacy WORKSPACE users receive updated load statements for rules_java and rules_python.

C++ changes include refreshed CMake dependencies and new cc_proto_library support for MessageSet definitions inside the bridge directory. Java developers benefit from a targeted fix in JsonFormat that avoids toBigIntegerExact, preventing degenerate parse behavior when handling large numeric exponents. Python bindings inherit the Bazel 9 compatibility.

Maintainers continue to advise pinning builds to release commits rather than main-branch HEAD, where source-incompatible changes can appear without warning. These updates matter now because many organizations are migrating to newer Bazel releases while running large polyglot codebases that rely on protobuf for RPC, configuration, and telemetry.

The release demonstrates the project's focus on stability over new features, ensuring backward compatibility remains intact for the countless services that depend on it daily.

Alacritty version 0.17.0 ships incremental but meaningful upgrades to the Rust-based, OpenGL terminal emulator ten years after its debut. The project continues to emphasize sensible defaults, extensive configuration, and high throughput by integrating with external tools rather than duplicating their functionality across BSD, Linux, macOS and Windows.

Configuration gains TOML 1.1 syntax support, allowing cleaner alacritty.toml files. Mouse bindings now accept WheelUp and WheelDown entries, while Wayland platforms receive window.resize_increments handling for tighter window manager integration. A new alacritty-escapes(7) manpage arrives alongside packaging fixes.

Stability improvements dominate the changelog. The release eliminates crashes tied to OpenGL context resets, fixes IME text commitment failures on macOS, and removes erroneous error popups triggered by certain editors saving config files. OpenBSD subprocesses now correctly inherit the foreground shell's working directory. IME behavior was tightened: it is disabled in Vi mode on X11 and requires an explicit tap on touch input. Built-in fonts now cover additional block element symbols from U+1FB82 to U+1FB8B.

These changes keep the beta-status emulator reliable for daily use, preserving the lean design that made it popular among developers who value rendering speed over bundled extras.

RealSense SDK 2.57.7, a beta release, focuses on stability and quality after the project's migration from IntelRealSense to the new realsenseai GitHub organization. Users must update repository links and APT keys, as the old redirection is not guaranteed to remain active indefinitely.

The update adds support for the D436 SKU and introduces global timestamp functionality for the D555 (single-camera only, with multicamera still in progress). Beta releases will now ship to the master branch, giving developers earlier access to features ahead of official validation on the Releases page.

Platform coverage remains broad: Ubuntu 24.04/22.04/20.04 LTS, Windows 11 and 10, NVIDIA Jetson JetPack 5–7, macOS 10.13.2+, and Android 7–14. The cross-platform C++ library continues to deliver synchronized depth and color streams together with full intrinsic and extrinsic calibration data.

This release matters now because production robotics and vision systems require consistent performance at scale. By concentrating on reliability rather than headline features, the maintainers are reinforcing librealsense as the established foundation for stereo depth applications where downtime carries real cost.

The active community and wrappers for Python, ROS, C# and Unity remain unchanged, ensuring existing codebases can adopt the new binaries with minimal disruption.

The maintainers of maker.js have issued version 0.9.17, delivering incremental but practical enhancements to the TypeScript-based 2D geometry library for CNC and laser cutters.

Changes include improved environment detection, defaulting rotation origins to [0, 0], and having paths converge to the closest line endpoint. The release also corrects bugs affecting expansion, text centering and SVG layer exports.

These adjustments matter for users who build drawings from paths, models, layers and chains. The library treats lines, arcs and circles as primitives that combine into complex shapes. It supports measurement, distortion, boolean operations, fillets including dogbone variants, and layout patterns such as grids and honeycombs.

Fabricators benefit from its export capabilities to DXF for CNC, SVG and PDF for documentation, alongside Jscad and STL for 3D. The simple JSON format allows models to be easily shared, modified or required as Node modules. Built-in models for polygons, bolt circles, ellipses and rings accelerate repetitive design tasks.

More than ten years after its initial release, maker.js remains a reliable choice for programmatic drawing in JavaScript. Its API enables developers to scale, rotate, mirror, intersect and outline geometric elements with precision.

The latest updates reduce friction in common workflows, ensuring more accurate outputs when preparing files for physical production on cutting machines.

Dear ImGui v1.92.7 arrived this week with focused maintenance improvements rather than flashy new features. The update tightens stability across core widget rendering and vertex buffer output, addressing edge cases reported by teams running the library in demanding real-time environments.

Omar Cornut’s release notes stress that studying the changelog remains one of the best ways to uncover capabilities developers often overlook. Optimizations to draw command generation reduce CPU overhead when interfaces update every frame, a critical detail for tools running inside tight game-engine loops.

The library’s immediate-mode design continues to dictate its strengths and trade-offs. Each frame, application code rebuilds the entire UI from current state, eliminating the need to synchronize separate UI trees. This approach powers rapid iteration for profilers, property editors, and visualization windows but deliberately omits full internationalization and accessibility layers.

At nearly twelve years old, the project stays lean: under 10,000 lines of C++, no external dependencies, and renderer backends measured in dozens of lines. Integration into existing 3D pipelines still takes roughly 25 lines of glue code. Commercial users are openly encouraged to fund further work through invoiced contracts, as the maintainer lists specific missing features that require dedicated resources.

The release changes little for casual users but tightens behavior for large codebases that have shipped Dear ImGui for years.

Fyrox has shipped v1.0.0, its first major stable release. The engine, previously known as rg3d, supplies a complete feature set for both 2D and 3D game development written entirely in Rust. It includes a visual scene editor that supports real-time composition, asset placement, and property editing without leaving the tool chain.

Core subsystems cover physically-based rendering, a retained-mode GUI framework, rigid-body physics, animation blending, and audio mixing. All components compile to native targets and to WebAssembly, allowing example projects to run directly in browsers. The official Fyrox book documents engine internals, build procedures, and end-to-end tutorials with concrete code samples.

The 1.0 release focuses on API stability, reduced boilerplate, and improved documentation rather than new experimental features. Seven years of iterative development have produced a codebase that balances flexibility with predictable behavior. JetBrains’ all-products license continues to support maintenance, while community contributions address “good first issue” items on GitHub.

Discord channels and GitHub Discussions provide immediate feedback loops for users integrating the engine into commercial or experimental projects. The release signals that teams can adopt Fyrox for production work while retaining Rust’s safety and performance characteristics.

Phaser 4.0.0 introduces the largest architectural change in the framework’s history: a ground-up rewrite of its WebGL renderer. The previous pipeline system has been replaced by a clean render-node architecture in which each node performs a single task, WebGL state is centrally managed, and context restoration is automatic.

Central to the update are two new GPU layers. SpriteGPULayer draws one million sprites in a single call, with GPU-driven animation of position, rotation, scale, alpha, tint and frame, delivering up to 100× faster rendering than standard sprites. TilemapGPULayer collapses an entire layer into one quad, allowing 4096×4096 maps at per-pixel shader cost with perfect filtering and no seams.

The FX and mask systems have been unified into a single Filter API. Developers can now apply Blur, Glow, Bloom, Pixelate, Vignette, GradientMap and other effects to any game object or camera without earlier restrictions. Tinting has been overhauled with six independent modes—MULTIPLY, FILL, ADD, SCREEN, OVERLAY, HARD_LIGHT—while new objects such as Gradient, multi-dimensional Noise and Stamp expand the built-in library.

The familiar JavaScript and TypeScript API remains unchanged. Games continue to target browsers, YouTube Playables, Discord Activities and native platforms. The create-phaser-game CLI scaffolds projects for React, Vue, Svelte and other front-end frameworks using Vite, Rollup or Webpack.

(178 words)