Daniel, a 16-year-old hacker, along with friends, uncovered supply-chain vulnerabilities in Mintlify, an AI documentation platform
TLDR Dev 2025-12-19
Articles & Tutorials
Daniel, a 16-year-old hacker, along with friends, uncovered supply-chain vulnerabilities in Mintlify, an AI documentation platform used by many top companies. Daniel specifically found a cross-site scripting (XSS) vulnerability that allowed malicious scripts to be injected into documentation through SVG files, exploiting Mintlify’s internal file fetching. This flaw had a widespread impact, affecting major customers like Discord, X (Twitter), Vercel, and Cursor, but Mintlify quickly fixed the issue once the hackers notified it.
What is EC2 Instance Attestation (6 minute read)
EC2 instance attestation makes it easier to validate that only trusted software is running on EC2 instances. It is now available in all AWS Commercial Regions, including the AWS GovCloud (US) Regions. EC2 Instance Attestation can unlock more use cases for trusted execution environments, like LLM use, since it allows the utilization of GPU features. This article provides a demo that shows how a service provider can build and deploy a service that can be verified from source code, and how a service consumer can verify those claims by the provider.
Opinions & Advice
Your job is to deliver code you have proven to work (6 minute read)
A software developer’s core responsibility is to deliver code that has been proven to work. The practice of submitting large, untested pull requests is a dereliction of duty that unfairly burdens reviewers. Proving code works involves two essential steps: thorough manual testing to personally verify functionality and demonstrate it, and bundling automated tests that validate the change.
One weird trick to manage engineering crises; stakeholders love it (5 minute read)
Tactical wins address a specific symptom with a specific fix. These wins matter because they demonstrate traction. Strategic investments don’t fix individual problems, but instead eliminate entire classes of problems. The trick is to sequence tactical wins and strategic investments to reinforce each other. Transparency will help stakeholders understand the tradeoffs you are making.
Launches & Tools
Introducing GPT-5.2-Codex (9 minute read)
OpenAI has launched GPT-5.2-Codex. This new model improves performance on long-horizon tasks, large code changes, and in Windows environments. It sets new benchmarks in agentic coding. The model’s capabilities have already led to the discovery of real-world vulnerabilities.
Piloting Claude in Chrome (8 minute read)
Claude in Chrome has an integration with Claude Code, where Claude Code can test code directly in the browser to validate its work. Claude can also see client-side errors via console logs.
picknplace.js is a simpler alternative to the usual drag-and-drop experience, especially on mobile devices. It streamlines the process into a three-step interaction: pick, scroll, then place. When an item is picked, an interactive duplicate of the list appears, allowing users to easily position their selection.
Miscellaneous
NVME is not a hard disk (14 minute read)
NVMe (nonvolatile memory express) is a storage access and transport protocol for flash and next-generation solid-state drives that delivers high throughput and fast response times for all types of enterprise workloads. NVME over fabric over TCP allows you to make storage available even if it is in the wrong box. Distributed storage may be complicated, but it has a number of very attractive use cases.
The Anatomy of LCP – A Deep Dive into Sub-Parts (20 minute read)
Largest Contentful Paint (LCP) is a Core Web Vitals metric that measures when the most meaningful piece of content on a page becomes visible. Optimizing it matters because users should see this primary content as early as possible. There’s more to optimizing than just reducing image file sizes. This article breaks down LCP into sub-parts (Time to First Byte, Resource Load Delay, Resource Load Duration, and Element Render Delay) to explain exactly where time is being spent, so readers know how to diagnose slow LCP on sites.
Quick Links
Minification isn’t obfuscation - Claude Code proves it (6 minute read)
The minification process in JavaScript doesn’t actually secure anything, it just makes it hard to read.
A Better Way to Work with Claude Code (Website)
Nimbalyst is a local WYSIWYG editor and session manager that lets users iterate with Claude Code with full context.
One Agent Isn’t Enough (12 minute read)
Agentic coding often struggles with variance, as the stochastic nature of LLMs means a single agent run might miss the optimal solution.
GitHub walks back plan to charge for self-hosted runners (7 minute read)
GitHub reversed its decision to charge for self-hosted Actions runners, postponing the billing change to re-evaluate its approach.
Written by Priyam Mohanty, Jenny Xu & Ceora Ford