🐥 YellowDuck.be

🔗 Computer use is 45x more expensive than structured APIs

2026-06-03T17:00:00Z

A benchmark study shows that AI agents using computer vision to navigate web interfaces are 45 times more expensive than those using structured APIs, largely due to higher token consumption and performance variance. While vision-based agents are still necessary for third-party software, auto-generating API surfaces for internal tools provides a far more efficient and cost-effective deployment strategy.

Continue reading on reflex.dev

#reading-list #tools #best-practice #ai

🔗 Why developers should – and shouldn’t – use LLMs in our development

2026-06-03T13:00:00Z

Why should I use AI? This pressing question is at the forefront of our evolving software development landscape. In the wake of LLMs like ChatGPT, developers must decide how to harness this technology effectively. While LLMs excel at handling repetitive tasks or producing prototypes quickly, they can compound security risks and tech debt if misused. I found that the clients I work with sometimes desire AI solutions even when they're unnecessary. This muddles our understanding of their actual needs, highlighting the importance of expert insight over flashy trends. I’ve noticed the most significant shifts in our workflow center on using LLMs to free developers from rote tasks, allowing us to focus on creative problem-solving instead. However, caution can't be overlooked: without proper review, LLM-generated code can lead to serious vulnerabilities.

Continue reading on tighten.com

#reading-list #development #best-practice #ai

🔗 The robots are replacing the packages

2026-06-03T08:00:00Z

The way AI-assisted development is changing how developers handle package installations is striking. Manual coding may have taken time, but with intelligent agents automating the background work, developers can focus on high-level tasks. The article categorizes common scenarios developers face in package decision-making: shared problems where robots excel, complex issues requiring thorough modeling, external dependencies needing ongoing maintenance, and opinionated frameworks shaping project direction. By understanding which problems to delegate to robots versus those that require human oversight, developers make smarter choices. The piece emphasizes a shift from finding solutions to knowing whether one wants to own a particular problem, marking a significant evolution in software development practices.

Robots are taking over package handling, letting us focus on complex problems. Discover the four categories that define when to leverage this AI power.

Continue reading on spatie.be

#reading-list #development #best-practice #ai

🐥 Why crypto.getRandomValues() matters in JavaScript

2026-06-02T17:00:00Z

Generating random values sounds simple, until you need randomness that is actually secure.

A lot of JavaScript developers reach for Math.random() out of habit. While that works fine for visual effects, games, or non-critical IDs, it should never be used for anything security-sensitive.

That’s where the Web Crypto API comes in.

The problem with `Math.random()`

Math.random() is not cryptographically secure.

Its output is deterministic and predictable enough that an attacker may be able to reproduce or guess generated values under certain conditions.

That makes it unsuitable for:

Session tokens
Password reset links
API keys
CSRF tokens
Encryption keys
Secure identifiers

Example:

const id = Math.random().toString(36).slice(2)

This may look random, but it is not secure.

Using `crypto.getRandomValues()`

Modern browsers provide a secure random number generator through the Web Crypto API.

Example:

const bytes = new Uint8Array(16)

crypto.getRandomValues(bytes)

console.log(bytes)

This fills the typed array with cryptographically secure random bytes provided by the operating system.

Generating a secure random token

A common use case is generating secure tokens or identifiers.

function generateToken(length = 32) {
  const bytes = new Uint8Array(length)

  crypto.getRandomValues(bytes)

  return Array.from(bytes)
    .map(byte => byte.toString(16).padStart(2, "0"))
    .join("")
}

console.log(generateToken())

Example output:

4f8b7d3a1f9e0c8d7a2b6c5d4e3f1a9c

This is significantly safer than using Math.random().

Typed arrays are required

crypto.getRandomValues() only works with integer-based typed arrays.

Supported examples include:

new Uint8Array(32)
new Uint16Array(16)
new Int32Array(8)

This will fail:

crypto.getRandomValues([])

Because regular JavaScript arrays are not supported.

Browser and runtime support

crypto.getRandomValues() is widely supported in modern browsers.

It is also available in runtimes like:

Node.js
Deno
Bun

Example in Node.js:

const bytes = new Uint8Array(16)

crypto.getRandomValues(bytes)

console.log(bytes)

In older Node.js versions, developers typically used:

require("crypto").randomBytes(16)

UUID generation

If your goal is generating UUIDs, modern runtimes also support:

crypto.randomUUID()

Example:

550e8400-e29b-41d4-a716-446655440000

Internally, this also uses cryptographically secure randomness.

Things to remember

Use Math.random() for non-security-related randomness only
Use crypto.getRandomValues() for anything security-sensitive
Prefer crypto.randomUUID() when generating UUIDs
Always generate randomness using the operating system’s secure RNG

For modern JavaScript applications, crypto.getRandomValues() should be the default choice whenever security matters.

#javascript #best-practice #auth

🔗 The language of the boundary

2026-06-02T13:00:00Z

The article discusses the development journey of creating a JSON Schema validator library for Elixir, detailing the complexities encountered when integrating JSON schema validation with Open API Spex. It emphasizes the necessity of validating data at boundaries, where untrusted external data is handled. The author, reflecting on past experiences, distinguishes between validating solely within Elixir and creating a shared understanding through JSON Schema among various programming teams, particularly in relation to Python and TypeScript. In exploring the challenges of maintaining and implementing validation rules effectively, the piece advocates for treating validation rules as data rather than as code, highlighting the importance of schemas as a means of ensuring compatibility and accuracy across different technologies. Ultimately, the author champions JSON Schema as the preferred solution for establishing clear, functional boundaries in application development.

Continue reading on lud.codes

#reading-list #development #best-practice #elixir

🔗 AI agents keep failing. The fix is 40 years old.

2026-06-02T08:00:00Z

AI agents often falter due to hidden dependencies in the code, leading to failures in production environments. This issue stems not from the models themselves but from the tight coupling and mutable states in the codebase that AI agents cannot effectively navigate. As Cyrus Radfar points out, while human developers build mental models over time, AI lacks that context, resulting in complicating hidden states that cause cascading errors. To remedy this, he suggests applying long-established principles of functional programming from the 1980s. By ensuring that all functions are pure, with explicit data flows and minimal side effects, AI agents can operate more reliably in scenarios where codebases contain numerous dependencies. This approach enables agents to modify functions without facing the risk of unintended consequences from hidden global states. The implementation of these principles could significantly enhance AI-driven development practices.

Continue reading on cyrusradfar.com

#reading-list #development #best-practice #ai

🔗 Claude Code is a build system, not a chatbot

2026-06-01T17:00:00Z

Claude Code redefines the interaction with AI coding by treating it as a build system rather than merely a chatbot. After a year of iteration, the author emphasizes the importance of treating AI like a configurable, layered, and observable engineering system. By moving from passive to active enforcement of coding standards and best practices, projects become less prone to errors, especially when attention drifts. The article explains how to set up automatic checks, the significance of writing standards clearly, and the benefits of using specialized subagents for tasks, plus future-proofing code through systematic hooks. With insights from the author's experiences across various programming languages, this piece serves as a guide to enhance AI-driven development and maintain consistency and quality in coding practices over time.

Continue reading on vinny.dev

#reading-list #development #tools #best-practice #ai

🔗 Functional programmers need to take a look at Zig

2026-06-01T13:00:00Z

What if a programming language could change the way functional programmers think about system memory management? In this article, the author examines how Zig introduces innovative memory management solutions that could appeal to functional programmers tired of traditional approaches.

They dive into the unique aspects of Zig, particularly its comptime feature, which simplifies type-system programming. The author argues against the reliance on garbage collection in existing functional languages, noting that it hampers performance and obscures the underlying machine language of programming.

With examples illustrating Zig's capabilities, the article showcases how this language not only improves performance but also allows developers to express their ideas more clearly and effectively. Zig’s design choices encourage deeper understanding of systems programming while maintaining the benefits of functional programming principles.

Continue reading on pure-systems.org

#reading-list #development #pattern #best-practice

🔗 API versioning should be your last resort

2026-06-01T08:00:00Z

Versioning doesn't have to be the go-to solution when evolving an API. Instead, focusing on effective change management can lead to better API longevity. This article emphasizes that API versioning is a compatibility tool, not a design strategy.

It outlines how many API changes can be managed without resorting to creating new versions. Key principles include keeping existing fields intact, ensuring optional data remains optional, and incorporating new operations instead of modifying old ones. The discussion delves into how breaking changes happen beyond just URL modifications, bringing attention to aspects like request validation and operational shifts.

Overall, this piece encourages a mindset shift towards compatibility and thoughtful management rather than adhering to versioning as a default approach.

Continue reading on www.milanjovanovic.tech

#reading-list #development #best-practice

🐥 How to find all Jira issues ever assigned to someone (even historical ones)

2026-05-31T17:00:00Z

If you've ever tried to pull up all the tickets that Sarah Mitchell worked on last year, you've probably started with the obvious query:

assignee = "sarah.mitchell@example.com"

And then realised it only shows her current tickets — not the ones she handed off to Tom Bergkamp or closed six months ago.

Here's the fix.

The `was` operator

Jira's JQL has a was operator that checks the change history of a field, not just its current value. So to find every issue Sarah was ever assigned to:

assignee was "sarah.mitchell@example.com"

Simple, but powerful.

Checking multiple people at once

Need to audit the work of an entire sub-team? Use was in with a list:

assignee was in ("sarah.mitchell@example.com", "tom.bergkamp@example.com", "priya.nair@example.com")

This returns any issue that was assigned to any of those three people at any point in time.

Scoping to a specific year

Combine it with the during clause to limit results to a time window — useful for annual reviews, retrospectives, or handover audits:

assignee was in ("sarah.mitchell@example.com", "tom.bergkamp@example.com") during ("2025-01-01", "2025-12-31")

This only matches issues where one of them was the assignee at some point during 2025 — even if the ticket has since been reassigned or closed.

Putting it all together

A full, practical query might look like this:

project = "PLATFORM"
AND assignee was in ("sarah.mitchell@example.com", "tom.bergkamp@example.com")
AND during ("2025-01-01", "2025-12-31")
ORDER BY updated DESC

The was operator works on other fields too — status was "In Progress", priority was "High", etc. — so it's worth keeping in your JQL toolkit whenever you need to query history rather than current state.

#tools #best-practice

🔗 How I write HTTP servers

2026-05-31T13:00:00Z

No one enjoys redundant tasks, yet composing and testing HTTP servers from scratch often leads to repetition. In this article, Blain Smith shares his experience crafting HTTP servers, focusing on creating REST APIs with vital features like JSON/XML support and authorization tokens. He emphasizes the importance of starting from individual handlers rather than the main server, which aids in identifying dependencies.

The article also dives into setting up request/response lifecycle tests without needing an actual server. By employing middleware for logging and authorization, he showcases how each component can be efficiently layered, making handlers both functional and secure. This approach not only promotes cleaner code but also lays the groundwork for robust server architectures.

Continue reading on blainsmith.com

#reading-list #golang #development #best-practice #http #testing

🔗 I don't want your PRs anymore

2026-05-31T08:00:00Z

With the rise of LLMs, code contributions are losing their value. The author articulates a stance against merging pull requests (PRs) because of concerns about malicious intent and the escalating complexity of code reviews. Instead, the article suggests alternative methods for collaboration which include providing feedback, discussing ideas, and reporting bugs. It highlights that while code writing is becoming automated, the need for meaningful insights and unique perspectives remains crucial. Rather than submitting PRs, contributors are encouraged to fork projects, prototype changes, and share their findings. This shift emphasizes a more collaborative and efficient approach to software development, reflecting the evolving landscape of coding and maintenance.

Continue reading on dpc.pw

#reading-list #development #best-practice #ai #github

🔗 The age of refinement: optimizing search performance for MCP systems

2026-05-30T17:00:00Z

Search isn’t finished when it works; it’s finished when you can prove it works—and refine it when it doesn’t. Christoph Beck’s article on search performance optimization for MCP systems highlights the importance of crafting good questions for effective search evaluation. This involves creating a dataset of specific queries tied to relevant document chunks, allowing teams to measure and improve their search strategies accurately. By focusing on metrics like precision and recall, Beck explains how to transition search from a black box to an iterative, improvable system, ultimately enhancing user experience and system reliability. His insights make it clear that understanding the nuances of search can significantly impact overall performance in MCP environments.

Continue reading on bitcrowd.dev

#reading-list #best-practice #ai #testing

🔗 OpenAPI DSLs: The silent developer productivity killer

2026-05-30T13:00:00Z

I learned that relying on Domain-Specific Languages (DSLs) for OpenAPI documentation can lead to significant productivity pitfalls. In a recent experience with Elixir, I faced a convoluted mess when trying to manage my API specs embedded within controller logic. The DSL library imposed rigid structures, causing unnecessary complexity and confusion. The result? I had to switch back to a straightforward YAML specification, which not only simplified the process but also reduced errors when interacting with AI tools like ChatGPT. Without the added abstraction, the YAML format was easier to read, and it became apparent that the claimed benefits of the DSL didn't outweigh its drawbacks. In the end, simpler often means better.

Continue reading on www.curiosum.com

#reading-list #development #best-practice #elixir

🔗 10 lessons for agentic coding

2026-05-30T08:00:00Z

Devs should use AI for fast implementation and automation while focusing their human expertise on testing, documentation, and high-value architectural decisions.

Continue reading on www.dbreunig.com

#reading-list #development #best-practice #ai #testing

🐥 Downloading external images as squares from a Phoenix app

2026-05-29T17:00:00Z

A common need in admin tools: click a button, download a remote image as a square JPEG. Simple enough — until CORS gets in the way.

The CORS problem

When fetching a cross-origin image and drawing it onto a , the browser marks the canvas as "tainted". The moment you call canvas.toBlob() to read the pixel data back out, it throws a security error. Unless the image server sends explicit CORS headers — which most don't — you can't do canvas operations on cross-origin images.

The fix: a server-side proxy

The solution is to proxy the image through the Phoenix app. From the browser's point of view the image comes from the same origin, so the canvas stays clean.

def image_proxy(conn, %{"url" => url}) do
  with true <- allowed_url?(url),
       {:ok, response} <- Req.get(url) do
    content_type =
      response.headers
      |> Map.get("content-type", ["image/jpeg"])
      |> List.first()
      |> String.split(";")
      |> hd()

    conn
    |> put_resp_content_type(content_type)
    |> send_resp(200, response.body)
  else
    false -> send_resp(conn, 400, "Invalid URL")
    _ -> send_resp(conn, 502, "Failed to fetch image")
  end
end

The allowed_url?/1 function validates the host against a known allowlist — an important SSRF guard so the proxy can't be abused to fetch arbitrary internal URLs.

Center-cropping to a square in the browser

Once the image loads from the proxy, a small Canvas API snippet handles the crop. The logic is straightforward: use the shorter dimension as the square size, then offset into the longer dimension by half the difference to take the center slice.

window.addEventListener("phx:download-square-image", (event) => {
  const { url, filename } = event.detail;
  const proxyUrl = `/image-proxy?url=${encodeURIComponent(url)}`;

  const img = new Image();
  img.onload = () => {
    const size = Math.min(img.naturalWidth, img.naturalHeight);
    const canvas = document.createElement("canvas");
    canvas.width = size;
    canvas.height = size;

    const ctx = canvas.getContext("2d");
    const offsetX = (img.naturalWidth - size) / 2;
    const offsetY = (img.naturalHeight - size) / 2;
    ctx.drawImage(img, offsetX, offsetY, size, size, 0, 0, size, size);

    canvas.toBlob((blob) => {
      const a = document.createElement("a");
      a.href = URL.createObjectURL(blob);
      a.download = filename;
      a.click();
      URL.revokeObjectURL(a.href);
    }, "image/jpeg", 0.95);
  };
  img.src = proxyUrl;
});

For a landscape image the left and right edges are trimmed, keeping the center. For a portrait image the top and bottom are trimmed instead. The full shorter dimension is always preserved — no upscaling, no padding.

Wiring it up in LiveView

The download is triggered from the template using Phoenix's JS.dispatch/2, which fires a custom DOM event with the image URL and filename as detail:

<button
  class="cursor-pointer"
  phx-click={
    JS.dispatch("phx:download-square-image",
      detail: %{url: @image_url, filename: "image.jpg"}
    )
  }
>
  Download
button>

No LiveView round-trip needed — JS.dispatch fires the event directly in the browser, the window listener catches it, and the download happens entirely client-side after the one proxy fetch.

Why `naturalWidth` instead of `width`?

img.width returns the CSS-rendered size, which is meaningless for an image that isn't attached to the DOM. img.naturalWidth always returns the actual pixel dimensions of the image data — the right value to use when doing pixel-level canvas operations.

#javascript #frontend #elixir #phoenix

🔗 Programming in 2026: excitement, dread, and the coming wave

2026-05-29T13:00:00Z

A big part of software engineering is now communicating with an alien technology we don't - and can't - fully understand.

Continue reading on amontalenti.com

#reading-list #development #best-practice #ai

🔗 When everyone has AI and the company still learns nothing

2026-05-29T08:00:00Z

Individual AI productivity gains don't automatically become organizational ones. Companies are past the "buy seats and run training" phase and into a messier stage where adoption is uneven, partially hidden, and disconnected from real learning. The key question isn't whether people use AI, but whether the organization captures what changed because of it. That requires linking operational control, loop-level feedback, and capability sharing into something that builds learning velocity over time.

Continue reading on www.robert-glaser.de

#reading-list #development #best-practice #ai

🔗 Claude code is not making your product better

2026-05-28T17:00:00Z

At the frontier, it's not clear that spending on tokens produces any economic value at all. The bottleneck at that level is tastemakers. The taste to delete, compress, and refuse is more valuable now that the floor is rising. AI makes it possible for anyone to create generic products, but it won't help the highest-level artisans create better products.

Continue reading on ethanding.substack.com

#reading-list #development #best-practice #ai

🔗 S3 Files and the changing face of S3

2026-05-28T13:00:00Z

The frustrating process of moving large datasets is all too familiar in many industries. In the article, Andy Warfield recounts his experiences with genomics researchers at UBC, who spent excessive time managing data rather than analyzing it. He introduced S3 Files to bridge this gap between S3 and local filesystems, simplifying data workflows. The introduction of unified data primitives like S3 Tables and S3 Vectors supports structured data and semantic search more effectively. With S3 Files, any existing S3 data can now be accessed directly as a network-attached filesystem, paving the way for enhanced data interaction across various tools.

Continue reading on www.allthingsdistributed.com

#reading-list #development #tools #best-practice #devops

🔗 Phoenix LiveView widgets with hooks: a reusable pattern

2026-05-28T08:00:00Z

Reusable Phoenix widgets have often been a challenge in Elixir applications, especially when managing state and events without complicating the parent LiveView. This article highlights a unique pattern for creating stateful and interactive components using function components and hooks. The method allows components to be self-contained, managing their own state while seamlessly integrating into the LiveView lifecycle.

It covers the limitations of LiveComponents and Embedded LiveViews, demonstrating how the pattern can simplify component development by treating the LiveView's socket as the single source of truth. By implementing hooks, developers intercept events without requiring the parent LiveView to handle internal complexities, enabling multiple instances to run independently in the same context. A practical example involves building a chat widget, detailing the essential steps and considerations to maintain performance and reliability.

Continue reading on curiosum.com

#reading-list #frontend #pattern #elixir #phoenix

🐥 The Tailwind `enabled:` selector trick for disabled buttons

2026-05-27T17:00:00Z

When you add a disabled attribute to a

🔗 Recursion as a design pattern

2026-05-27T13:00:00Z

What if recursion was the best way to handle list processing in Elixir? This article reveals how recursion isn't just an alternative to loops but the optimal method in Elixir for list manipulation. Developers often struggle with traditional loop constructs, but Elixir’s approach leverages the accumulator pattern to streamline operations. The article contrasts two recursive styles for summing lists, illustrating how using an accumulator enhances performance by eliminating waiting stacks.

By understanding this pattern, users can resolve confusion over recursion and recognize it as a natural fit for Elixir's functional paradigm. Concepts like Enum.reduce align with the accumulator, making it clearer how to harness recursion efficiently in real-world scenarios. Bruce Tate’s insights underscore the necessity for shifting perspectives about recursion to see it as an inherent feature rather than a workaround.

Continue reading on grox.io

#reading-list #pattern #best-practice #elixir

🔗 Don't let AI write for you

2026-05-27T08:00:00Z

Do LLMs enhance or hinder writing? This provocative piece warns against the pitfalls of using AI to generate documents and essays. The author argues that writing is not just about producing text; it’s an opportunity to explore ideas and build understanding. By relying on LLMs, individuals risk undermining their own credibility and authentic thinking. While LLMs can serve functional roles, like idea generation or quick transcription, they should not replace the deep cognitive process associated with writing. The article emphasizes the importance of engaging with the content and reflects on how LLM-generated writing impacts personal trustworthiness. To truly benefit from LLM tools, users must elevate their own thoughtfulness in the writing process.

Continue reading on alexhwoods.com

#reading-list #best-practice #ai

🔗 The Pulse: token spend breaks budgets – what next?

2026-05-26T17:00:00Z

In the past couple of months, spending on AI agents has surged dramatically among tech companies, with many experiencing a nearly 10x increase in costs. Gergely Orosz highlights the trend of "tokenmaxxing," where developers are incentivized to maximize their AI usage for personal standings on internal leaderboards, raising concerns for leadership about the sustainability of such spending. Insights from 15 businesses showcase that while some companies are currently seeing productivity increase, their token costs are becoming unsustainable. Companies are now considering strategies ranging from limiting model usage to encouraging more efficient token consumption. The article illustrates how firms are navigating this financial pressure amidst a growing embrace of AI in their operations and the shifting perceptions around its costs.

Continue reading on newsletter.pragmaticengineer.com

#reading-list #best-practice #ai #announcement

🐥 YellowDuck.be

🔗 Computer use is 45x more expensive than structured APIs

🔗 Why developers should – and shouldn’t – use LLMs in our development

🔗 The robots are replacing the packages

🐥 Why crypto.getRandomValues() matters in JavaScript

The problem with Math.random()

Using crypto.getRandomValues()

Generating a secure random token

Typed arrays are required

Browser and runtime support

UUID generation

Things to remember

🔗 The language of the boundary

🔗 AI agents keep failing. The fix is 40 years old.

🔗 Claude Code is a build system, not a chatbot

🔗 Functional programmers need to take a look at Zig

🔗 API versioning should be your last resort

🐥 How to find all Jira issues ever assigned to someone (even historical ones)

The was operator

Checking multiple people at once

Scoping to a specific year

Putting it all together

🔗 How I write HTTP servers

🔗 I don't want your PRs anymore

🔗 The age of refinement: optimizing search performance for MCP systems

🔗 OpenAPI DSLs: The silent developer productivity killer

🔗 10 lessons for agentic coding

🐥 Downloading external images as squares from a Phoenix app

The CORS problem

The fix: a server-side proxy

Center-cropping to a square in the browser

Wiring it up in LiveView

Why naturalWidth instead of width?

🔗 Programming in 2026: excitement, dread, and the coming wave

🔗 When everyone has AI and the company still learns nothing

🔗 Claude code is not making your product better

🔗 S3 Files and the changing face of S3

🔗 Phoenix LiveView widgets with hooks: a reusable pattern

🐥 The Tailwind `enabled:` selector trick for disabled buttons

The problem

The fix: enabled:

Why this matters

In practice (Phoenix / LiveView)

🔗 Recursion as a design pattern

🔗 Don't let AI write for you

🔗 The Pulse: token spend breaks budgets – what next?

The problem with `Math.random()`

Using `crypto.getRandomValues()`

The `was` operator

Why `naturalWidth` instead of `width`?

The fix: `enabled:`