The Git Times

Three years after launch, rasbt/LLMs-from-scratch continues receiving targeted maintenance. The latest commits update its Jupyter notebooks for full compatibility with PyTorch 2.4, integrating torch.compile and FlashAttention to cut training time and memory usage on consumer GPUs.

The repository supplies the complete implementation for a decoder-only GPT-style model. Notebooks advance incrementally: byte-pair encoding tokenization, causal self-attention with proper masking, layer normalization, feed-forward blocks, and the full pretraining loop using cross-entropy loss. Code for loading OpenAI and Hugging Face weights enables continued pretraining or parameter-efficient LoRA finetuning without retraining every layer.

This mirrors the development path of production models such as ChatGPT yet fits comfortably in 16 GB RAM. Each stage includes tensor-shape diagrams, training curves, and text-generation examples that demonstrate learning dynamics after every epoch.

The updates matter now as teams subject to stricter AI auditing requirements turn to transparent, from-scratch implementations to verify internal mechanics. Rather than treating models as black boxes, engineers use these notebooks to experiment with architectural variants and observe how hyperparameters influence output coherence.

Build a Large Language Model (From Scratch) remains a precise technical reference for builders who need to move beyond high-level APIs.

Diffusers v0.38.0 introduces four new pipelines that extend its utility across text, image, and audio generation. The release integrates LLaDA2, which generates text by starting with a fully masked sequence and iteratively unmasking tokens according to confidence scores rather than autoregressive prediction. It also adds NucleusMoE, a 17-billion-parameter sparse mixture-of-experts model that activates only 2 billion parameters per inference for image synthesis, and Ernie-Image, an 8-billion-parameter model optimized for efficiency.

LongCat-AudioDiT brings text-to-audio capabilities, completing the set of multimodal additions. These pipelines sit alongside the library's established components: ready-to-run DiffusionPipeline classes, interchangeable noise schedulers, and standalone pretrained models such as UNet2DModel and DDPMScheduler that developers combine for custom end-to-end systems.

Installation continues through the familiar pip install --upgrade diffusers[torch] command, with models pulled directly from the Hub. The library's emphasis on usability and composability over rigid abstractions has made it the default choice for both quick inference and research-oriented training since its introduction in 2022.

The new pipelines arrive as teams seek unified tooling for discrete diffusion language modeling and scalable architectures. By absorbing these implementations, Diffusers reduces the overhead of integrating emerging techniques while preserving PyTorch-native flexibility.

**

Streamlit has released version 1.57.0, bringing a major architectural shift to the Python library that turns scripts into interactive web applications. The headline change makes Starlette the default server and fully removes the Tornado dependency, modernizing the backend after years of parallel support.

The update contains breaking changes that existing codebases must address. Deprecated keyword arguments have been excised from plotly_chart and vega_lite_chart. The _get_websocket_headers function is gone. Data handling now uses direct Polars-to-Arrow conversion that bypasses pandas, delivering measurable performance improvements for large datasets.

New capabilities focus on usability and polish. Alert elements accept a title parameter for clearer messaging. The :shimmer[] markdown directive creates animated loading text. AppTest gains properties for pills, segmented controls and dataframes, while the App class is now exposed directly in the st namespace.

These refinements arrive as teams accelerate deployment of LLM chatbots, scientific dashboards and real-time analytics tools. Streamlit's core workflow remains unchanged: write standard Python, see live updates in the browser, then deploy instantly on Community Cloud. The release tightens the balance between simplicity and production readiness that has defined the project since 2019. Installation stays straightforward with pip install streamlit followed by streamlit run.

Installation

pip install streamlit
streamlit run streamlit_app.py

NiceGUI v3.12.0 addresses two security vulnerabilities and ships targeted improvements to its Python-based UI toolkit.

The release prevents local file disclosure in ui.restructured_text via Docutils file insertion directives. It also blocks unauthenticated log-volume denial-of-service attacks on dynamic resource and ESM module routes. Both issues received coordinated disclosure and carry CVE identifiers.

On the feature side, enable(), disable(), set_enabled(), set_visibility() and similar methods are now chainable, allowing tighter code. ui.mermaid content is auto-dented like Markdown. CPU-bound workers supplied by run.cpu_bound suppress noisy KeyboardInterrupt tracebacks on Ctrl-C. A longstanding RuntimeError involving SemLock objects shared between fork and spawn contexts has been fixed for CPython 3.11.5 and newer when native=True and reload are combined.

Five years after its first release, NiceGUI remains popular for micro web apps, robotics control panels, smart-home dashboards and machine-tuning tools. Its implicit reload, high-level elements for 3D scenes, virtual joysticks, live tables and 10 ms timers continue to reduce boilerplate. The security patches and quality-of-life changes make the framework safer for production use while preserving the rapid iteration that builders expect.

Installation is unchanged: python3 -m pip install nicegui.

OpenBot has shipped version 0.8.0, bringing a browser-based visual programming environment and cross-platform controls to its established system for turning smartphones into robot brains. The project pairs an off-the-shelf $50 electric vehicle chassis with a phone that handles perception and planning, while an Arduino board manages motor drivers and low-level I/O. Core workloads include person following and real-time autonomous navigation using the phone's cameras and sensors.

The headline addition is the OpenBot Playground, a React Blockly web application that lets users assemble robot behaviors with drag-and-drop blocks rather than writing Swift or Kotlin. Updates in this release extend Blockly support to both Android and iOS clients. A new Flutter controller delivers live video feeds over WebRTC, while a remote web server enables browser-based teleoperation. WiFi access-point pairing between robot and controller phones now works on iOS as well, removing previous platform friction.

Five years after the project's debut, these changes focus on lowering the entry barrier for educators and builders who already run OpenBot fleets. The hardware remains deliberately simple: a small chassis, two motors, and a smartphone. The software stack continues to support training custom driving policies directly on the device. Release contributors added mirror control logic for front-facing cameras and refined connection handling, concrete refinements that address long-standing user requests.

The result is a more flexible platform for deploying deep-learning models on hardware that most people already own.

GTSAM remains a cornerstone library for smoothing and mapping in robotics and computer vision by modeling problems as factor graphs and Bayes networks instead of raw sparse matrices. Version 4.2.1 delivers a focused maintenance update that resolves several long-standing issues in production estimation pipelines.

The release corrects multiple ISAM2 bugs that could produce incorrect marginals during incremental updates. A new regression test guarantees that marginal-factor operations no longer inflate the graph unexpectedly. Python bindings now expose Jacobians for Pose2 component access, enabling more precise gradient-based tuning in sensor-fusion loops. Package metadata has been corrected so dependent projects automatically pull the right runtime libraries.

Build infrastructure improvements include automated wheels for Python 3.11–3.14, dedicated macOS arm64 and x86_64 jobs, and NumPy pinned below 2.0 to preserve compatibility with the embedded pybind11 layer. The pipeline also accommodates newer Boost and CMake releases without breaking existing 4.2 workflows.

These changes arrive as many teams ship perception stacks that demand repeatable accuracy under real-time constraints. The factor-graph approach lets engineers compose complex models from reusable probabilistic factors, simplifying both prototyping and optimization.

The develop branch has entered pre-4.3 mode. It will drop several deprecated APIs, complete the migration to C++17, and remove most Boost dependencies. Users relying on serialization or older timing utilities should audit code against the 4.2 deprecation flags before the next major release.

**

Four years on, edoardottt/awesome-hacker-search-engines remains a key reference for security practitioners conducting reconnaissance. Its May update added new entries focused on crypto tracking, surveillance systems and people search, addressing gaps in contemporary red and blue team operations.

The list categorizes search engines into practical groups. Under Servers, it features Shodan, described as the search engine for the Internet of Everything, alongside Censys, ZoomEye, GreyNoise, Netlas.io and FOFA. These tools allow mapping of internet-facing assets at scale and classification of benign versus malicious traffic.

The Vulnerabilities section links to NIST NVD, MITRE CVE, GitHub Advisory Database, osv.dev and Vulners.com, enabling efficient tracking of disclosed weaknesses and exploits. Security teams use these during vulnerability assessments to prioritize remediation efforts and monitor new CVEs.

For attack surface management, categories covering Domains, URLs, DNS and Certificates help identify misconfigurations and exposed services. The Credentials, Leaks and Hidden Services sections support defensive searches for compromised corporate data.

Threat Intelligence platforms like Onyphe.io and Quake provide context on active campaigns and network scanning activity. The project's clear structure makes it simple to navigate during time-sensitive engagements.

With attack surfaces expanding through cloud services and IoT devices, the maintained directory delivers measurable efficiency gains. Contributors continue adding resources, keeping the list aligned with current tactics.

PhoneSploit Pro has received its most substantial update since launch. Version 2.0 converts the original monolithic Python script into a cleanly structured modular package, with phonesploitpro.py now acting as a thin launcher for the new modules.cli system.

The release integrates Rich for a modern terminal experience featuring tables, panels, spinners and themed output. External tool resolution is now configurable at startup for ADB, Metasploit-Framework, scrcpy and Nmap, reducing setup friction. Network discovery has been upgraded with python-nmap integration that scans LANs and delivers ADB-specific host summaries, allowing pentesters to locate devices with port 5555 exposed more quickly.

The menu has grown to five pages containing 62 numbered actions. New ADB-centric functions include port forwarding, WiFi utilities, root heuristics, app lifecycle controls, permission management, split-APK handling and live logcat streaming. Core exploitation remains unchanged: the tool automates payload creation, installation and execution to deliver a Meterpreter session when an ADB port is reachable.

These changes make the project more maintainable for contributors and more efficient for authorized security testing and vulnerability assessment on Android devices.

(178 words)

KeePassXC maintainers released version 2.7.12, delivering targeted improvements to its established password management codebase. The C++ application stores usernames, passwords, URLs, attachments and notes in encrypted KDBX4 or KDBX3 files that remain offline and portable across Windows, macOS and Linux.

The update sets BE and BS flags to true for passkeys, a change that may break existing passkeys and requires user verification. It adds support for TIMEOTP autotype and entry placeholders. Browser integration now shows full URLs in access dialogs, while Bitwarden import gains nested folder handling.

Security fixes dominate the release. Patches prevent exploits through OpenSSL configurations. A Linux Auto-Type race condition was reverted, and attachment filenames are sanitized before saving. Additional corrections address browser setting persistence, URL validation with placeholders, and minor theme inconsistencies.

The project retains core strengths: YubiKey and OnlyKey challenge-response support, integrated TOTP generation, advanced search, customizable groups, and a flexible password generator for both random strings and passphrases. Auto-Type injects credentials directly into target applications. Browser extensions maintain compatibility with Chrome and Firefox.

For builders who demand verifiable, offline control of credentials, these incremental changes reinforce KeePassXC’s position as a mature, community-driven option.

Moby, the modular foundation for assembling container systems, shipped version 29.5.0 with targeted improvements to security, networking and operational flexibility.

The most significant change replaces slirp4netns with gvisor-tap-vsock as the default rootless network driver. Docker packaging no longer installs the older driver, reflecting a clear preference for the new implementation's performance and compatibility in unprivileged environments.

Containers now run with private time namespaces enabled by default on supported kernels. This delivers stronger isolation by giving each container an independent view of system time, aligning with Moby's principle of usable security that avoids sacrificing developer experience.

The local logging driver adds support for custom attributes through label, label-regex, env, env-regex and tag options. Administrators gain finer control over log formatting directly from the daemon without additional tooling.

Windows users benefit from daemon support for listening on Unix sockets (-H unix://...), including optional group-based access control via the --group flag.

A security patch addresses CVE-2026-32288, closing a denial-of-service vector where maliciously crafted images with sparse tar archives could trigger unbounded memory allocation during pulls.

These updates maintain Moby's role as an extensible toolkit for engineers who modify, experiment with and build custom container platforms. As the upstream project for Docker, it continues delivering swappable components that prioritize functional APIs over prescriptive user interfaces.

Recent commits to the git/git repository highlight continued refinements to the packing, delta, and index subsystems. With the latest push arriving in May 2026, maintainers have tightened memory usage and accelerated object enumeration, directly addressing the performance demands of modern monorepos that can contain tens of millions of commits.

Git remains a fast, scalable, distributed revision control system written chiefly in C. It supplies both porcelain commands for daily workflow and the full plumbing interface that lets automation tools manipulate objects, refs, and the index directly. Its design lets developers work offline then synchronize changes through ordinary push and fetch operations, preserving complete history without a central server.

The contribution model stays true to its kernel roots. The GitHub mirror is publish-only; pull requests are automatically converted into mailing-list patches by GitGitGadget, letting newer contributors participate without learning SMTP patch workflows. All submissions still follow the established Documentation/SubmittingPatches rules and CodingGuidelines.

This matters now because the largest technology organizations have standardized on monorepos. Every incremental improvement in clone speed, garbage collection, and partial clone support translates into measurable reductions in CI cycle times and developer wait time across the industry. The project’s steady evolution keeps it the default foundation for code collaboration at every scale.

**

HashiCorp shipped Terraform 1.15.3 on May 13, delivering three targeted fixes that remove friction for teams managing sophisticated deployments.

The update corrects a failure when migrating resources nested across multiple module layers that rely on implicit provider configuration. It also ensures the cloud backend forwards the -generate-config-out flag correctly and prevents crashes during provider installation on configurations lacking explicit setup.

These changes matter for practitioners who treat infrastructure as code. Terraform lets teams declare resources in configuration files that can be versioned, reviewed and shared like application code. Its execution plan reveals exactly what will change before any modification occurs. The tool then assembles a resource graph that identifies dependencies and parallelizes creation of independent components, delivering both safety and speed.

Written in Go and first released in 2014, the project supports major cloud platforms alongside custom internal services. The latest refinements particularly benefit organizations operating deep module hierarchies and automated CI/CD pipelines. As cloud estates grow more interconnected, such stability updates keep terraform apply predictable and minimize unplanned downtime.

Infrastructure as Code remains the project's central value: operators define desired state once, then let Terraform orchestrate the rest with minimal manual intervention.

The ToothPaste project's latest firmware release updates the receiver to use GPIO48 for the LED, matching most ESP32-S3 development boards and effectively retiring the custom PCBv1 design. Release notes stress selecting the correct flash size when writing the image with esptool to prevent undefined behavior.

ToothPaste V2 transmits AES-256 encrypted keyboard and mouse commands over BLE to any USB HID host. An ESP32-S3 paired with a dedicated cryptographic IC manages ECDH key exchange, Argon2 hashing and mbedtls encryption routines. The receiver requires no drivers on the target, appearing as a standard keyboard that operating systems trust by default.

The design specifically addresses one-off transfers to BIOS screens, air-gapped machines or untrusted computers where installing password managers or KDE Connect is impractical. Browsers on desktop or mobile initiate sessions through the Web BLE API; a React frontend handles the user interface. Demonstrations show an iPad controlled from a laptop browser and a remote Linux system operated from a phone.

The firmware matters now because it lowers deployment friction while preserving hardware-backed security. As more builders work with restricted systems and wireless pentesting tools, the project offers a concrete, open-source alternative that avoids both manual typing and unencrypted Rubber Ducky-style attacks.

Tulip CC's v-may-2026 release delivers targeted fixes that improve daily use of the portable Python creative computer. The update gates the sync modal behind an explicit Pull button in the web interface, skips unnecessary gating on internal saves, and refreshes DX7 filter knobs in example sketches. Firmware flashing guidance now tells users to press BOOT then RST after upload, while the getting-started documentation adds a full DIP switch section. A new background task corrects I2C follower input so external sensors work reliably.

Four years after launch, these changes keep the project focused on low-friction creation. The ESP32-S3 hardware boots instantly into a MicroPython prompt backed by the AMY synthesizer and LVGL graphics library. It supplies 2 MB for user code, 32 MB flash filesystem, hardware MIDI, networking and a 320×240 touchscreen, all running without operating-system overhead.

At $59 from Makerfabs or buildable from open files, Tulip CC remains an accessible self-contained instrument. The web version and desktop apps (Mac, Linux, WSL) let users prototype and share compositions without hardware. The release shows the maintainers' continued emphasis on stability over new headline features.

Tulip demonstrates how specialized embedded hardware can give coders an immediate, distraction-free canvas for music, graphics and live performance.

MonoGame has released version 3.8.4.1, a targeted maintenance update that fixes Google Play's 16KB alignment policy requirements and updates iOS audio libraries. Desktop, Linux, macOS and console builds remain unchanged.

The new version requires developers to update client projects to .NET 9 and remove the RestoreDotNetTools section from their csproj files, since that capability has moved into the official MonoGame NuGet packages. It also bumps OpenAL, links CoreAudio and AudioToolbox on iOS, and pins the SDK version with a global.json file for reproducible builds.

Preview support for Vulkan and DirectX 12 is progressing toward the 3.8.5 release. These will join the existing OpenGL and DirectX 10 back ends already available across supported platforms.

As the open-source re-implementation of Microsoft's XNA Framework, MonoGame lets C# developers target Windows 10 (22H2+), Linux distributions with glibc 2.27+, macOS 13 Ventura+, Android 6+, iOS 12.2+, and registered console kits for PlayStation 4/5, Xbox and Nintendo Switch. The framework has powered shipping titles including Celeste, Stardew Valley, Streets of Rage 4 and Carrion.

Official samples such as the upgraded 2D Platformer and NeonShooter run on every platform, while documentation and API references help teams maintain large codebases as platform policies evolve.

Word count: 178

Bevy v0.18.1 focuses on stability and efficiency improvements following the larger 0.18.0 release. The update tightens Entity Component System scheduling, reducing contention in parallel systems that process large numbers of entities per frame. Rust's ownership rules remain central, enabling safe concurrent execution without data races.

Asset pipeline changes shorten load times for complex scenes by streamlining how textures, meshes, and animations are prepared. The bevy_render and bevy_pbr modules received targeted optimizations that lower draw-call overhead in 3D applications. Migration from v0.18.0 remains straightforward, with the project supplying explicit guides for the limited breaking adjustments.

The engine's modular structure continues to let teams include only required plugins, keeping compile times short and binaries lean. This design supports both rapid prototyping and production workloads. Minimum Supported Rust Version stays aligned with recent stable releases, giving developers immediate access to language improvements in error handling and concurrency primitives.

Frequent iteration every three months has become standard. The 0.18 series prioritizes completing 2D and 3D feature parity while preserving the data-driven philosophy that separates Bevy from traditional object-oriented engines. Community input via Discord and GitHub discussions directly shaped several fixes in this point release.

Flame 1.37.0 introduces targeted improvements that sharpen its utility for Flutter-based game development. The update adds HueEffect and HueDecorator classes, letting developers shift colors dynamically on sprites, animations and tile maps without writing custom shaders.

OverlayManager.setActive() now gives precise runtime control over interface layers. The new HasAutoBatchedChildren mixin automates rendering batches for child components, while the Block class has been decoupled from IsometricTileMapComponent and given helper methods for flexible map handling.

Maintenance changes fix flaky tests by correcting hash combining inside CollisionProspect and remove async requirements from test helpers, simplifying CI pipelines.

Eight years after its creation, Flame continues to deliver a lean game loop, component system, collision detection, gesture input, particles and sprite-sheet support. Official bridge packages connect it directly to audio playback, Bloc state management and fire-atlas tools, keeping integrations inside the Flutter widget tree.

These incremental updates reduce boilerplate and eliminate common sources of instability. For teams already shipping Dart games, the release strengthens stability and visual flexibility without increasing the lightweight footprint that made Flame attractive inside Flutter in the first place.