Changelog News

Developer news worth prematurely optimizing

Jerod here! 👋

Security researchers have discovered a way hackers might weaponize GitHub Copilot and Cursor to insert malicious code that might bypass typical code reviews, calling it “virtually invisible to developers and security teams.” So, your most trusted coding assistant could also be an unwitting accomplice to some particularly gnarly attacks. Is it time to update the old adage?

“Keep your friends close, and your enemies closer, but your AIs closest.”

Ok, let’s get into the news.

🎧 The era of durable execution

Stephan Ewen, Founder and CEO of Restate.dev joins the show to talk about the coming era of resilient apps, the meaning of and what it takes to achieve idempotency, this world of stateful durable execution functions, and when it makes sense to reach for this tech. VIDEO

👥 Google’s new protocol has AI agents talkin’

If our agentic future is to someday arrive, we’re gonna need a way for my agent to call your agent (so we can do lunch). Google thinks they developed a good way of achieving that with their A2A protocol:

a collaborative way to help agents across different ecosystems communicate with each other. Google is driving this open protocol initiative for the industry because we believe this protocol will be critical to support multi-agent communication by giving your agents a common language – irrespective of the framework or vendor they are built on.

They have “more than 50 technology partners” agreeing to work together to further develop the protocol, and they see it as complementary to MCP, not in competition with it. According to Google, MCP “provides helpful tools and context to agents” while A2A “empowers developers to build agents capable of connecting with any other agent.”

That being said, Anthropic is not listed as a technology partner and I can’t help but think there’ll be quite a bit of overlap between the two protocols as things progress.

🚀 Datastar - The hypermedia framework

If Alpine.js (frontend reactivity) and htmx (backend reactivity) had a love child, Datastar might be it.

Include Datastar with a single 14.5 KiB file and start adding reactivity to your frontend immediately. Write your backend in the language of your choice! Official SDKs are available to help you get up and running even faster, or you can send SSE events directly from your backend.

The backend SDKs must implement Datastar’s SSE protocol, which looks simple enough. This is an impressive effort, at first brush. The only thing I can’t find is evidence of Datastar being used in production anywhere. Maybe I missed it? The team has confidence in the framework, though…

We’re so confident that Datastar can be used as a JavaScript framework replacement that we challenge anyone to find a use-case for a web app that Datastar cannot be used to build!

🥇 The best programmers I know

Matthias Endler takes a crack at answering a similar question to the one I posed to Justin Searls on a recent Friends:

I have met a lot of developers in my life. Lately, I asked myself: “What does it take to be one of the best? What do they all have in common?”

Here’s a sampling of Matthias’ list of things great devs do, cherry-picked for the ones I agree with most:

Read the Reference
Break Down Problems
Never Stop Learning
Have Patience
Keep it Simple

Matthias’ “patience” section most closely aligns with the one thing that Justin and I both agreed is compulsory to becoming a good developer: perseverance

💰 Retool’s Q1 2025 release

Thanks to Retool for sponsoring Changelog News

The latest release from Retool includes over 100 improvements. If you’re on-prem, upgrade to 3.148. For everyone else, create a free account or login.

Here are 5 standout features that directly address frequent requests from customers deploying Retool.

Multipage apps are now the default building experience, giving you a better foundation for complex applications. Multipage apps are apps that consolidate several separate apps into a single, more maintainable application. Defaulting to this architecture delivers 27% faster load times on average.
Confirming production-readiness gets easier thanks to enterprise deployment controls that enable structured governance, collaboration, and testing for secure, reliable app releases.
Multi-instance releases is now in private beta. A simple manifest file designates consistent app version releases across multiple environments, enabling structured promotion from dev to production.
Usage Analytics has beeb enhanced. A redesigned dashboard provides tab-based views and granular insights into user engagement across your entire deployment.
Workflows are the next big thing. They let you create multistep functions with execution control and AI logic that can connect to dozens of databases, third-party services and APIs – and ship it all in a single click.

Check out the detailed release notes to learn more.

💨 Linus Torvalds built Git in 10 days

As if it weren’t already impressive… TIL the initial version of Git was hammered out in a mere 10 days back in April, 2005. It’s also interesting to note that Linux’s success wasn’t enough to rid Linus of his imposter syndrome:

that while he’s proud of having created Linux, what makes him “happy about Git is not that it’s taken over the world. It’s that we all have self-doubt, right? We all think, ‘Are we actually any good?’ And one of the self-doubts I had with Linux was it was just a reimplementation of Unix, right? Can I give you something that isn’t just a better version of something else? Git proved to me that I can. Having two projects that made a big splash means that I’m not a one-trick pony.”

This post by Steven Vaughan-Nichols is a great little peak into the history of Git to celebrate its 20-year anniversary. My only gripe is that the “Why has Git been so successful?” section doesn’t even mention the impact that GitHub had on Git’s adoption. Before GitHub, it wasn’t clear if Mercurial or Git would be the community’s DVCS of choice. After GitHub… well, we’re living in it.

🧠 A simple CLI to help remember commands

Zev is a python-based CLI tool that helps you remember (or discover) terminal commands using natural language. For example, you might type out:

“show all files in this directory w/ human readable sizes”

And Zev will present you with 3 options:

ls -lh
du -sh *
find . -maxdepth 1 -type f -exec ls -lh {} +

You can then select the one you want to use and copy it to your clipboard for pasting. How does it achieve this magic? With the OpenAI API, what’d you expect!? You can also point it at Ollama, so that’s nice.

🎙️ Proud pod parents

Richard Moot joins us to discuss Changelog helping Square launch a developer pod and the excitement around MCP (Model Context Protocol) servers. What might it foretell about the future of human/robot relations? VIDEO

🐢 Atuin Scripts: shareable, syncable shell snippets

Ellie Huxtable:

Your shell history holds a record of your most useful, time-saving, and obscure one-liners. Atuin already makes them easier to search and recall, but they’re still hard to reuse or share cleanly. With Atuin Scripts, that changes.
You can now turn any shell command (or series of commands) into a reusable, synced, and shareable script.

🎨 A gallery of awesome 404 page designs

Every website needs a 404 “page not found” design. The cooler, the better. Ours is kinda cool, it embeds a random clip for you to watch as a little apology for not finding what you wanted to. But sometimes you just can’t think of something cool to do. Well, bookmark this awesome gallery of cool 404 designs for a rainy day.

💰 Depot + Tailscale

Thanks to Depot for sponsoring Changelog News

Depot just announced their integration with Tailscale. , solving one of the most persistent challenges for DevOps teams using ephemeral CI/CD environments.

Starting today, you can connect Depot’s GitHub Actions runners and container builders directly to your Tailscale tailnet, enabling secure access to private services without exposing them to the public internet or maintaining static IP allow lists. This integration leverages Tailscale’s identity-first connectivity model, with Depot runners joining your tailnet as ephemeral nodes that you can control through familiar Tailscale ACLs.

Setting up the integration is straightforward with a simple three-step process:

Create a tag for your Depot runners in your Tailnet ACLs
Generate OAuth client credentials using this tag
Configure your Depot organization with these credentials.

Once connected, your Depot workflows can securely access databases, services in private VPCs, and even on-premise networks through subnet routers—all while maintaining strict access controls.

Check out the full announcement and join Depot’s Discord community if you have questions.

🕵️ Git blame for file trees

git-who is a CLI for answering the eternal question: “Who wrote this code?!”, but it works differently than git-blame.

Unlike git-blame, which can tell you who wrote a line of code, git-who tells you the people responsible for entire components or subsystems in a codebase. You can think of git-who sort of like git-blame but for file trees rather than individual files.

📐 Don’t forget your (un)ordered list

📚 The Developer’s Dictionary

If it ain’t measured in microseconds, it ain’t optimized yet 😤

optimization (noun) The result of squeezing .002% more efficiency from your code for just 200% the complexity, confirming your status as an elite programmer. Knuth: Premature optimization is the root of all evil. Dev: Be quiet, old man, I’m doing some optimizations.

That’s the news for now, but we have some great episodes coming up this week:

Wednesday: Anthony Eden, founder of DNSimple
Friday: Nick Nisi, founder the Unofficial TypeScript Fan Club

Have a great week, forward this to a friend who might dig it & I’ll talk to you again real soon. 💚

–Jerod