#dependabot

#dependabot

This extends to the software development community, which is seeing a near-ubiquitous presence of AI-coding assistants as teams face pressures to generate more output in less time. While the huge spike in efficiencies greatly helps them, these teams too often fail to incorporate adequate safety controls and practices into AI deployments. The resulting risks leave their organizations exposed, and developers will struggle to backtrack in tracing and identifying where - and how - a security gap occurred.

Chainguard has rebuilt nearly one million unique versions of Java dependencies, including enterprise essentials such as Spring Boot, Jackson, Apache Commons, and Log4j, using the Chainguard Factory, an automated platform for creating software builds based on code originally found in open source software repositories.

Dependabot sounded the alarm on a large scale. Thousands of repositories automatically received pull requests and warnings, including a high vulnerability score and signals about possible compatibility issues. According to Valsorda, this shows that the tool mainly checks whether a dependency is present, without analyzing whether the vulnerable code is actually accessible within a project.

Central to the GA release is Agentic Chat. This functionality builds on the previously introduced Duo Chat but goes a step further by leveraging context from virtually every part of GitLab. Think of issues, merge requests, CI/CD pipelines, and security findings. Agentic Chat can not only advise, but also actually perform actions on behalf of developers, depending on the rights and approvals that have been set.

Giving coding agents full access to all of Ramp's engineering tools is what makes Inspect truly innovative. Instead of only letting agents write basic code, Ramp's system runs in sandboxed virtual machines on Modal. It works seamlessly with databases, CI/CD pipelines, monitoring tools like Sentry and Datadog, feature flags, and communication platforms such as Slack and GitHub. Agents can write code and ensure it works by using the same testing and validation processes that engineers use every day.

Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user's machine. This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.

Industry professionals are realizing what's coming next, and it's well captured in a recent LinkedIn thread that says AI is moving on from being just a helper to a full-fledged co-developer - generating code, automating testing, managing whole workflows and even taking charge of every part of the CI/CD pipeline. Put simply, AI is transforming DevOps into a living ecosystem, one driven by close collaboration between human judgment and machine intelligence.

Software development used to be simpler, with fewer choices about which platforms and languages to learn. You were either a Java, .NET, or LAMP developer. You focused on AWS, Azure, or Google Cloud. Full-stack developers learned the intricacies of selected JavaScript frameworks, relational databases, and CI/CD tools. In the best of times, developers advanced their technology skills with their employer's funding and time to experiment. They attended conferences, took courses, and learned the low-code development platforms their employers invested in.

DBmaestro is a database release automation solution that can blend the database delivery process seamlessly into your current DevOps ecosystem with minimal fuss, and without complex installation or maintenance. Its handy database pipeline builder allows you to package, verify, and deploy, and gives you the ability to pre-run the next release in a provisional environment to detect errors early. You get a zero-friction pipeline, which is often not the case with database delivery process.

Vibe coding is the latest tech accelerator, and yes, it kind of rocks. New AI-assisted coding practices are helping developers ship new applications faster, and they're even allowing other business professionals to prototype workflows and tools without waiting for a full engineering cycle. Using a chatbot and tailored prompts, vibe coders can build applications in a flash and get them into production within days.

Attackers are actively exploiting a critical vulnerability in React Native's Metro server to infiltrate development environments. The vulnerability, CVE-2025-11953, allows malicious actors to execute code on Windows and Linux systems via exposed development servers. Metro is React Native's default JavaScript bundler during application development and testing. In many configurations, this server runs locally, but by default, Metro can also bind to external network interfaces. This makes HTTP endpoints available that are intended for development. It is precisely this functionality that now constitutes an attack vector,

Over the past decade, software development has been shaped by two closely related transformations. One is the rise of devops and continuous integration and continuous delivery (CI/CD), which brought development and operations teams together around automated, incremental software delivery. The other is the shift from monolithic applications to distributed, cloud-native systems built from microservices and containers, typically managed by orchestration platforms such as Kubernetes.

It allows developers to test code, review pull requests, and more, but also exposes them to attacks via repository-defined configuration files, Orca says. "Codespaces is essentially VS Code running in the cloud, backed by Ubuntu containers, with built-in GitHub authentication and repository integration. This means any VS Code feature that touches execution, secrets, or extensions can potentially be abused when attackers control the repository content," the cybersecurity firm notes.

GitHub engineers recently traced user reports of unexpected "Too Many Requests" errors to abuse-mitigation rules that had accidentally remained active long after the incidents that prompted them. According to GitHub, the affected users were not generating high-volume traffic; they were "making a handful of normal requests" that still tripped protections. The investigation found that older incident rules were based on traffic patterns that were strongly associated with abuse at the time, but later began matching some legitimate, logged-out requests.