The Git Times

Open WebUI v0.9.5 focuses on operational security for self-hosted LLM environments. The release blocks redirect-based server-side request forgery by default. All outbound HTTP requests now reject 3xx redirects unless explicitly allowed via the AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable. The protection covers web fetch, image loading, OAuth discovery, tool server execution and code interpreter login, closing a vector that could let external URLs pivot to internal RFC 1918 networks, loopback addresses or cloud metadata endpoints.

Administrators gain a new IFRAME_CSP variable to define Content-Security-Policy headers for all srcdoc iframes. This constrains what LLM-generated or user-uploaded HTML can load inside Artifacts, tool embeds, file previews and citation modals, limiting execution of untrusted scripts.

Users can now disable Markdown rendering independently for their own messages and for assistant responses through Interface settings. The option prevents unintended formatting when pasting configuration files, log output or code containing backticks and other Markdown-sensitive characters.

Additional controls let operators inject custom response headers into terminal proxy sessions via a JSON object in TERMINAL_PROXY_HEADERS.

These changes arrive as more teams run Ollama, OpenAI-compatible endpoints and built-in RAG pipelines entirely offline. The updates make granular policy enforcement practical at scale without altering the existing Docker, Kubernetes or responsive PWA experience.

The google-gemini/gemini-fullstack-langgraph-quickstart has received a significant update integrating deeper support for Gemini 2.5 within its LangGraph agent. This fullstack application pairs a React frontend with a backend that executes comprehensive research workflows. The agent dynamically creates search queries, retrieves information through the Google Search API, and applies reflective reasoning to detect knowledge gaps. It iterates on these searches until confident in its findings. The final output presents a synthesized answer backed by citations from the referenced web sources.

The repository maintains separate frontend/ and backend/ folders. After setting the GEMINI_API_KEY in the backend .env file, developers run pip install . for the Python dependencies and npm install for the React components built with Vite. The make dev target launches both servers with hot-reloading enabled.

This architecture proves particularly relevant today as teams seek production-ready patterns for agentic applications. The combination of LangGraph’s graph-based control flow with Gemini’s advanced reasoning capabilities offers a concrete starting point for systems that move beyond static responses toward active, iterative information gathering and synthesis.

Google's Gemini API Cookbook has been refreshed with targeted guides for recently added platform capabilities. The repository now includes a working webhooks quickstart that delivers real-time callbacks for asynchronous jobs such as batch processing and video generation, removing the need for repeated polling.

An inference tiers section explains when to choose Priority versus Flex plans, giving teams concrete trade-offs on latency, cost and reliability. Music generation receives extensive coverage through Lyria 3, with Jupyter notebooks demonstrating 30-second clip creation, full song composition with explicit structure control, and image-to-music workflows.

Image capabilities center on Nano-Banana 2 for fast 512px output and Nano-Banana Pro for 4K resolution. Both support thinking steps, search grounding and high-consistency editing for visual storytelling. A new file search guide shows how to ground generation in uploaded documents, while updated thinking and migration notebooks address the move to Gemini 3.

The material remains split between Quick Starts for individual features and composite Examples that combine them. All code runs interactively in Jupyter Notebooks, letting developers test changes immediately. As production use of multimodal Gemini features grows, these targeted updates supply the exact patterns teams need to move from experimentation to reliable deployment.

Five months after launch, OpenLegged's URDF-Studio has stabilized with the v1.0.0 release. The browser-based environment now provides production-ready support for editing robot topology, visual and collision geometry, and hardware parameters without constant XML editing.

The single-mode editor organizes work into tabs for kinematic tree construction, geometry authoring with measurement tools, collision optimization, and hardware configuration. An integrated motor library lets users specify transmission ratios, damping, friction, and metadata directly. Multi-robot assembly mode adds bridge joint creation and multi-file workspace management for modular builds.

Visualization runs on React Three Fiber with runtime URDF, MJCF, and USD viewers, transform controls, and diagnostic overlays. The AI assistant generates models, performs inspection, and exports PDF or CSV reports. Worker-assisted pipelines handle imports, USD hydration, prepared export caches, and roundtrip archives.

The 1.0 release introduced automated app version display in the About dialog and npm run version:bump scripts, replacing manual manifest edits. These changes reduce maintenance overhead for teams iterating on complex robotic systems.

Engineers now move fluidly from topology design to simulation-ready MuJoCo MJCF output inside one web application, shortening the traditional desktop-to-simulator handoff.

Recent contributions to awesome-robot-descriptions have strengthened its value for robotics simulation and development. The curated collection now features additional high-quality models for humanoids, quadrupeds and advanced manipulators.

The repository organizes entries in detailed tables, specifying each robot's manufacturer, supported formats, license and data completeness. Visuals, inertias and collision geometries receive explicit verification, with most models achieving full coverage.

Notable additions and updates include multiple variants of the Franka FR3, Kinova Gen3 in MJCF, URDF and Xacro, alongside KUKA iiwa and Med series arms. Quadruped and biped descriptions support the growing demand for locomotion research.

This update matters now because simulation fidelity directly impacts real-world deployment success. Engineers can import these descriptions directly into MuJoCo via MJCF or ROS ecosystems through URDF without recreating kinematic trees and dynamic properties.

Community maintenance ensures licenses remain permissive — predominantly Apache-2.0, BSD-3-Clause and MIT — enabling broad adoption. The list also curates related resources and maintains a visual gallery for easier model selection.

For teams building custom robots, the patterns established in these examples provide templates for generating compliant descriptions that work across simulators. The project demonstrates how centralized curation accelerates progress in a fragmented field, where consistent model quality often determines project viability.

rt-net/crane_x7_ros has released version 5.0.0, its first build targeted at ROS 2 Jazzy Jalisco. The update keeps full compatibility with Humble Hawksbill and Ubuntu 24.04 while adding practical improvements that matter to teams already using the seven-axis CRANE-X7 manipulator.

New contributions include RealSense camera_namespace handling, support for mock components that enable hardware-free testing, and a fresh moveit_py sample package. These changes reduce friction when moving between simulation and physical hardware or when integrating depth cameras.

The collection comprises six core packages. crane_x7_control manages USB serial communication with explicit port configuration steps. crane_x7_gazebo supplies simulation models, crane_x7_moveit_config provides ready-to-use MoveIt 2 settings, and separate example packages deliver both C++ and Python implementations of common tasks such as gripper control and pick-and-place sequences. A companion crane_x7_description repository supplies the xacro models under RT Corporation’s non-commercial license.

Typical workflow remains unchanged: clone the matching branch for your ROS distribution, run colcon build --symlink-install, then launch the demo and example nodes with simple ros2 launch commands. The Apache 2.0 licensing on most files continues to support research and internal development.

For labs and integrators already invested in the CRANE-X7 platform, the release keeps the stack current with the latest ROS 2 LTS tools and shortens the path from simulation to deployment.

OpenZeppelin has released Contracts v5.6.1, fixing an overflow in the InteroperableAddress parsing functions that previously caused silent misparsing of large addresses. The patch, merged in pull request #6372, eliminates a subtle error that could affect contracts handling cross-chain or non-standard address formats.

The change arrives as Ethereum teams face rising pressure to eliminate edge-case vulnerabilities before deployment. Developers using interoperable address logic should upgrade immediately from earlier 5.x versions.

Nearly a decade after its creation, the library continues to serve as the default foundation for secure smart contract work. It supplies audited implementations of ERC20 and ERC721 standards, a flexible role-based permissioning system, and reusable components for building upgradeable or complex decentralized applications. Semantic versioning is strictly observed: storage layouts between major releases are considered incompatible, requiring explicit migration for proxy-based contracts.

Release tags clarify audit status. npm install @openzeppelin/contracts delivers the audited latest version by default. The dev tag provides finalized but unaudited code that remains eligible for the bug bounty. The next tag is reserved for pre-release candidates.

The companion Contracts Wizard lets developers generate compliant starting contracts interactively. Installation works with both Hardhat and Foundry, though Foundry users must avoid common git submodule pitfalls noted in the documentation.

This incremental update reinforces why the library remains central to production systems where a single parsing error can lead to lost funds or broken interoperability.

Trivy version 0.70.0 arrived on April 16 with targeted improvements to its scanning engines. The update refines detection accuracy for cloud misconfigurations, reduces false positives in secret scanning, and expands SBOM coverage to match evolving regulatory demands.

The tool maintains its dual structure of scanners and targets. It examines container images, Kubernetes clusters, Git repositories, virtual machine images and filesystems. Scanners surface OS package vulnerabilities, application dependencies, IaC misconfigurations, embedded secrets, software licenses and full SBOM inventories. It supports the majority of popular languages, operating systems and cloud platforms.

Usage remains unchanged. A single binary or docker run aquasec/trivy command delivers results. Typical invocations include trivy image python:3.4-alpine for container analysis or trivy fs . for repository scans. Output lists severity, CVE references and, where available, remediation steps.

The release arrives as supply-chain incidents and SBOM mandates increase. Teams embed Trivy in GitHub Actions, Kubernetes operators and VS Code workflows to shift security left without adding toolchain complexity. Canary builds from the main branch let developers test upcoming changes, while production users stay on stable releases.

The steady cadence of updates keeps the project aligned with new cloud APIs, language ecosystems and threat intelligence sources.

NGINX has released mainline version 1.31.0, addressing multiple security vulnerabilities that affected its core HTTP processing, proxy, and resolver components. The update fixes an HTTP/2 request injection flaw in ngx_http_proxy_module (CVE-2026-42926), a buffer overflow in ngx_http_rewrite_module (CVE-2026-42945), buffer overreads in the SCGI, UWSGI, and charset modules, an address-spoofing issue in HTTP/3 (CVE-2026-40460), and a use-after-free during OCSP requests to the resolver (CVE-2026-40701).

Beyond hardening, the release introduces official support for HTTP forward proxying through the new ngx_http_tunnel_module and adds the least_time load-balancing method, which directs traffic to the upstream server with the lowest average latency and active connections. These additions arrive as organizations expand use of NGINX for zero-trust edge architectures and latency-sensitive microservices.

Written in C and distributed under a simplified BSD license, the project remains the reference implementation for high-performance web serving, reverse proxying, content caching, and TCP/UDP load balancing. The GitHub repository hosts the canonical source, with recent changes also improving connection-specific header handling and Windows OpenSSL integration.

The official recommendation is to upgrade promptly. Packages and build instructions are available on nginx.org, alongside updated documentation for TLS configuration, rate limiting, and dynamic module support.

The maintainers of whisper.cpp have shipped v1.8.4, a maintenance release that pulls in the newest ggml library and delivers measurable performance gains across CPU, GPU and NPU backends.

New -g/--gpu-device flags and matching environment-variable support give developers explicit control over GPU selection. UTF-8 truncation bugs in long transcribed segments are fixed, macOS XCFramework dSYM paths corrected, and server HTML routing no longer hard-codes the inference endpoint. Ruby bindings gained VAD::Context#segments_from_samples, safer Pathname handling and tighter token memory management. CMake files drop obsolete backend configuration, GitHub Actions are refreshed, and a Vulkan Docker image is now part of CI.

Since its 2022 debut the project has remained a plain C/C++ port of OpenAI’s Whisper model, free of runtime dependencies and external Python layers. It ships with ARM NEON, AVX, VSX, Metal, Vulkan, OpenVINO, NVIDIA CUDA and Ascend NPU backends, mixed F16/F32 precision, integer quantization, and zero runtime allocations. Voice Activity Detection is included in the core whisper.h/whisper.cpp API.

The lightweight design keeps inference viable on iPhone 13-class hardware, Raspberry Pi boards, WebAssembly runtimes and large cloud instances alike. This update ensures the library stays current as accelerator APIs and build tooling continue to evolve.

(178 words)

Warp has released v0.2026.05.13.09.15.preview_00, opening its client codebase and introducing native agentic workflows. Born in the terminal, the Rust-based tool now lets developers deploy its built-in coding agent or plug in external CLI agents including Claude Code, Codex and Gemini CLI. These agents operate directly inside bash, zsh and other shells on macOS and Linux.

The standout addition is the Oz system. Thousands of agents automatically triage issues, write specifications, implement changes and review pull requests. The build.warp.dev dashboard surfaces live sessions, contribution rankings and personal issue tracking after GitHub sign-in. A web-compiled Warp terminal allows observers to click into any active agent run.

Open-source maintainers can apply to the Oz for OSS program, which tailors these automated flows to individual repositories for community management and contributor coordination. The project maintains a lightweight contribution process documented in CONTRIBUTING.md, with discussion happening in the #oss-contributors Slack channel.

Licensing splits the offering: the warpui_core and warpui crates are MIT, while remaining code uses AGPL v3. The preview marks a deliberate shift toward transparent, AI-augmented maintenance that keeps the terminal as the primary workspace rather than moving work into separate IDEs or web platforms.

This update matters now because agent reliability has reached the point where repositories can run continuous automated oversight without losing human oversight or community involvement.

Bitcoin Core version 31.0 is now available from bitcoincore.org, the latest stable release of the software that enforces the Bitcoin consensus rules.

The C++ project serves as the canonical integration and staging tree. It connects to the peer-to-peer network, downloads blocks, and performs full validation of every transaction according to the protocol's cryptographic and consensus requirements. An optional wallet and graphical interface can be built from the same source.

Fifteen years after its creation, the codebase remains deliberately conservative. The master branch receives continuous builds, yet only tagged releases from dedicated branches are considered stable. Maintainers explicitly warn that testing and code review form the development bottleneck: incoming pull requests consistently outpace the team's capacity to merge them safely.

This matters because any error in validation logic can cost users real money. The project therefore urges operators to test others' changes and run the full unit-test suite with ctest. Automated tests are mandatory for both new and legacy code.

The GUI work has been extracted to the separate bitcoin-core/gui repository to simplify contributions while keeping the core engine focused on validation, networking, and cryptography. Binaries must be downloaded from the official site; GitHub-generated packages are not endorsed.

For an infrastructure layer that secures hundreds of billions in value, incremental hardening in releases like 31.0 is the routine but essential work.

Bruce firmware version 1.14 delivers concrete improvements to its established toolkit for Red Team operations on ESP32 hardware. The release optimizes WiFi deauthentication with streamlined frame building, adds BLE scanning to wardriving, and introduces password recovery using wordlists on T-Embed devices.

The JavaScript interpreter has been migrated from ducktape to mQuickJS, bringing microphone support, input masking, six new display functions, and full keyboard availability for scripting. RFID handling received API refactoring for MQJS, plus new SRIX4K and SRIX512 tools with improved Mifare key management. Additional changes include theme refactoring, background timezone updates, LovyanGFX and M5GFX display HAL support, and TV-B-Gone optimizations.

These updates matter because Bruce remains one of the most complete offensive platforms for portable hardware. It runs on M5Stack Cardputer, Lilygo T-Deck and T-Embed, StickC, and various ESP32-S3/C5 boards. Core features include evil portals with deauth, ARP poisoning, Wireguard tunneling, Bad BLE ducky scripts, platform-specific BLE spam, NFC cloning, and raw packet sniffing.

The project’s open-source hardware boards at bruce.computer further integrate the firmware into a cohesive ecosystem. Active community contributions via Discord keep the tool aligned with current penetration-testing needs two years after its initial release.

Home Assistant users now have fresh guidance on incorporating local artificial intelligence thanks to updates in the frenck/awesome-home-assistant repository. The curated list recently added dedicated sections for AI & LLMs, energy monitoring and multi-instance setups.

The resource collects custom integrations, dashboard cards, automation examples and configurations. All maintain a focus on local control and privacy, core tenets of the project stewarded by the Open Home Foundation.

Most listed items install directly through HACS. Categories range from lighting and climate control to security systems, voice assistants and vacuum robots. Newer entries address Bluetooth device tracking, battery monitoring and dashboard frameworks.

The list also points to official communities and public example configurations. Contributors follow a defined guide to suggest additions, ensuring the collection remains current.

With rising interest in sustainable living and data sovereignty, these updates help users navigate options for solar integration, local voice processing and federated home automation. The project serves as an essential starting point for tinkerers seeking to customize their setups without proprietary cloud services.

Builders using Godot for 3D pixel art now benefit from improved consistency in Yugen's Terrain Authoring Toolkit. The public Marching Squares plugin saw its v1.2.4 release, delivering targeted bug fixes and quality-of-life enhancements.

The toolkit lets developers manipulate terrain on a chunk-based grid. Core operations include elevating or lowering cells, leveling to specific heights, and smoothing based on neighboring values. Users can draw bridges, paint from a palette of 16 textures, and deploy grass via mask maps that control MultiMeshInstance3D instances.

Version 1.2.4 resolves previous problems with texture and color updates in the settings tab. It corrects grass floating above terrain when using smaller cell dimensions. Preset handling now maintains correct textures across switches and project launches.

The update also refines the inspector interface. The storage_mode tab conceals BAKED properties during RUNTIME selection, reducing visual clutter.

These changes matter for projects requiring precise control over blocky yet smooth terrain. The plugin's adjustable merge threshold lets creators dial between crisp pixel looks and softer forms. Documentation in the addon's folder details advanced usage, while the linked Discord supports community sharing and issue reporting.

Godot 4.6.2 is a maintenance release that hardens the engine's foundation without breaking compatibility. It addresses stability problems, usability friction, and assorted bugs reported since 4.6.0, making daily work more predictable for developers handling complex scenes.

The update improves editor responsiveness during large-scale node editing and tightens error handling in the scripting runtime. Rendering fixes reduce visual artifacts in both 2D canvas items and 3D Vulkan pipelines, especially on mobile hardware. Export templates now manage platform-specific edge cases more cleanly, from Android permissions to WebAssembly performance.

Because the release maintains binary compatibility with prior 4.x versions, teams can upgrade existing projects without code changes. This matters for studios balancing tight schedules against engine updates. The C++ codebase, developed in the open under the MIT license, continues to evolve through community contributions coordinated by the Godot Foundation.

Documentation and class references have been refreshed to match the fixes. The curated changelog lists each adjustment, ranging from minor UI corrections to critical crash prevention.

For builders shipping across Linux, macOS, Windows, Android, iOS, web, and consoles, the release reduces deployment surprises. It demonstrates how sustained, incremental attention keeps a mature engine viable in production environments.