David Pogue’s new book, “Apple: The First 50 Years,”is packed with stories about the rivalry between Apple and Microsoft. But one stands out above the rest.

In late 2005, Steve Jobs attended the 50th birthday party of a Microsoft engineer, the husband of a friend of his wife, Laurene. Over dinner, the guy lectured Jobs on how Microsoft had solved the future of computing with a tablet and stylus.

It wasn’t the first time, as Pogue recounts the story. Jobs had heard this pitch from the same person roughly ten times before.

“I was so sick of it that I came home and said, ‘Fuck this, let’s show him what a tablet can really be,’ ” Jobs said later, as reported in the book. The Apple co-founder and CEO walked into Apple’s Monday morning meeting riled up. “We need to show the world how to create a real tablet,” he told his team.

To him, that meant no stylus: “God gave us ten styluses,” he said, waggling his fingers.

The eventual result was the iPad, according to popular Apple lore.

The story is one of dozens of Microsoft anecdotes that appear in Pogue’s epic book. Across 50 years of Apple history, Microsoft shows up in almost every chapter, playing a different role each time — collaborator, copycat, existential threat, unlikely savior, and humbled rival.

Apple is celebrating its 50th anniversary today. Microsoft marked its own a year ago. And the real question now is what comes next for both companies in an era when AI is reshaping the industry as significantly as the graphical interface did in the 1980s.

The popular perception about Apple these days is that it’s an also-ran in AI. Microsoft, despite its recent struggles, has positioned itself more strategically to capitalize on the AI boom.

If Pogue’s book is any guide, that’s exactly the kind of moment when someone in Cupertino might just get riled up enough to do something about it.

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets (like API keys) in order to both publish malicious packages from an attacker-controlled machine as well as gain access to more projects in order to propagate the attack.

These attacks often start by compromising a workflow on GitHub Actions.

Let’s talk through what you can do today to secure your GitHub Actions workflows, what work GitHub has been doing to secure open source, and what to expect in the coming months for further security enhancements.

What you can do today

Many of these attacks start by looking for exploitable GitHub Actions workflows.

The most critical action you can take is to enable CodeQL to review your GitHub Actions workflow implementation (available for free on public repositories) to inspect your workflows for security best practices.

Next, review our detailed actions security guidance. In particular:

• Don’t trigger workflows on pull_request_target.
• Pin third-party Actions to full-length commit SHAs.
  • This pinning should be done by you or Dependabot; be suspicious of external pull requests that update this content.
• Look out for script injection when referencing user-submitted content.

When an attack happens, we publish information about compromised dependencies in our Advisory Database. You can get up-to-date information directly from the Advisory Database or use tools like Dependabot (also free for public repositories) to notify you when you have malicious or vulnerable dependencies.

What we’ve done

These attacks follow the same pattern: they focus on exfiltrating secrets to publish malicious packages from an attacker-controlled machine, as well as using those malicious packages to gain access to more projects to propagate the attack.

Instead of using secrets in your workflows, you can use an OpenID Connect token that contains the workload identity of the workflow to authorize activities. We’ve worked with many systems to integrate with Actions this way, including cloud providers, package repositories, and other hosted services.

Specifically, GitHub partners with the OpenSSF to support this security capability, called trusted publishing, in package repositories, which is now supported across npm, PyPI, NuGet, RubyGems, Crates, and other package repositories. Not only does trusted publishing remove secrets from build pipelines, it also provides a valuable signal when a newly published package stops using trusted publishing: the community uses this signal to investigate if the package came from an attacker using exfiltrated credentials.

npm is the largest package repository in the world, with over 30,000 packages published each day. We scan every npm package version for malware, and our detections are constantly updated and improved as attacks evolve. Hundreds of newly published packages contain malicious code daily, so when detected, a human reviews to confirm it’s a true positive before we take action. At this scale, even a 1% false-positive rate would disrupt hundreds of legitimate publishes daily.

What to expect in the coming months

In late 2025 the Shai-Hulud attacks motivated a revamped security roadmap for npm, which we talked about in Our plan for a more secure npm supply chain and Strengthening supply chain security: Preparing for the next malware campaign. In response to Shai-Hulud we accelerated the roll-out of capabilities like npm trusted publishing, continued work on malware detection and removal, and engaged with open source maintainers on what npm security capabilities would have the biggest positive impact. Even when the community agrees a change must be made, those changes can mean that people need to change their workflow, or worse, cause backwards incompatibility. We’re working to provide as smooth a transition as possible.

Similarly, with the most recent round of attacks we are revisiting our security roadmap for GitHub Actions and accelerating actions security capabilities where work was already underway. You can give us feedback on the GitHub Actions security roadmap in the community discussion post.

Where do we go from here?

Open source is a global public good and one of humanity’s greatest collaborative projects. We have not seen the end of attacks on open source, but GitHub is committed to defending it across npm, actions, or whatever comes next. As we work on rolling out these security capabilities, we look forward to your feedback on what’s most impactful and how we manage the transition to a more secure future.

The post Securing the open source supply chain across GitHub appeared first on The GitHub Blog.

---

---

When you type a question into ChatGPT, the model only has what you typed to work with. But tools like Claude Code can plan, iterate, test, and recover from mistakes. They work more like we do. The difference is the agent harness: Planning tools, file system access, sub-agents, and carefully crafted system prompts that turn a raw LLM into something genuinely capable.

Sydney Runkle is back on Talk Python representing LangChain and their new open source library, Deep Agents: A framework for building your own deep agents with plain Python functions, middleware hooks, and MCP support. This is how the magic works under the hood.

Episode sponsors

Sentry Error Monitoring, Code talkpython26
Temporal
Talk Python Courses

Links from the show

Download audio: https://talkpython.fm/episodes/download/543/deep-agents-langchains-sdk-for-agents-that-plan-and-delegate.mp3

Last month, we published Flutter and Dart’s 2026 Roadmap, a peek into how our teams are approaching our core mission: Building the most popular, fastest growing, and highest-productivity multi-platform UI framework. But it’s impossible to talk about development in 2026 without acknowledging AI.

To meet this moment, today we are sharing our data-driven and honest thoughts on how our teams approach Dart and Flutter + AI in 2026. This post is intended to be less of a roadmap and more of a collection of thoughts guiding our strategy. Transparency is a core pillar of Flutter, and as an open source project, we believe in the value of experimentation in public. Interpret this as a snapshot of how we’re thinking about AI today; we value your input and feedback but we also recognize that, in this rapidly shifting environment, strategy and approach may change as models, tools, and their use evolve.

The Agentic shift by the numbers

Flutter gained initial traction by staying ahead of the curve and adapting nimbly to the needs of developers building cross-platform. Now, AI represents another variable in how we think about our ecosystem. Not because every developer needs to use AI, but because we need to consider how it’s shifting our goals for those who do.

AI adoption is no longer a future trend; it is the current reality. The 2025 Stack Overflow Developer Survey showed that 84% of all developers use AI tools in some way within their daily workflows, and in our 2025 Flutter User Survey, we found that 79% of Flutter developers specifically report using AI assistants while working with Flutter.

However, this rapid adoption has revealed a significant “trust gap.” While 73% of developers feel more productive because they can reduce the friction of starting new tasks, 46% do not yet trust the accuracy of AI tools for critical tasks like writing, debugging, or fixing code. This leads to a “verification tax” — the time engineers pay auditing the output or fine-tuning instructions to achieve correctness.

Our approach: Who we build for and the principles that guide us

As the premier multi-platform UI framework from Google, Flutter is uniquely positioned to focus on the AI builders in our ecosystem. The principles ensure that Dart and Flutter remain the most reliable choice for developers building apps that run on any screen.

Who we are solving for

Our strategy addresses builders across the spectrum of AI adoption from traditional to agentic development:

• The traditional developer: Earn trust in AI for those who depend on core Dart and Flutter tooling. Traditional developers care deeply about thinking through problems themselves and using developer tools to dig under the hood. We aim to improve the existing foundation for them, which in turn improves the quality of AI and builds trust in agentic development.
• The AI-assisted developer: Improve productivity with AI for those who have adopted AI coding agents in their Dart and Flutter workflows. These engineers rely on AI for repetitive, tedious tasks and boilerplate code so they can spend more time on complex functional and architectural code. Our developer experience team is exploring AI tooling such as MCP servers, Agent Skills and other solutions in this space.
• The AI-first developer : Make AI work for those who haven’t yet discovered Flutter is the best way to build their apps. These builders are creating apps with natural language. By recognizing where their needs overlap other personas, we ensure our framework is ready for the future of AI development. Collaborations here might include guidance on Flutter with Antigravity, and other vibe-coding products that reflect “Vibe once, deploy everywhere” concept introduced at Google I/O 2025.

Our driving principles

• Humans first: Dart remains a “human first” language. We prioritize making code readable and manageable for developers, even when it is generated by agents.
• Add, don’t replace: AI tools should add and improve the experience of building with Dart and Flutter. Each developer should be empowered to use AI assistance as much as they desire, and on a timeline that they choose. We intend to ensure AI is grounded in our documentation and foundational tooling as the source of truth.
• Open standards & agent agnostic: We meet developers where they are. By leveraging open standards like the Model Context Protocol (MCP), we ensure Flutter works well with any agent you choose, not just Gemini. For example, we recently added an MCP tool to ensure hot reload can be used during AI Assisted development.
• Trust through quality: We aim to solve the “verification tax” by ensuring AI-generated code is accurate, idiomatic, and compliant with project standards. Ongoing investments and partnerships with Google Deepmind and Antigravity on model evaluation drive quality from the model through to AI developer tools. If you’re a model engineer, hit us up, we’d love to make your model write beautiful Dart code!

Let us know what you think

We are intentionally experimenting in public because no one knows exactly where this space is going. We invite the community to join us, share your feedback, and help steer the future of Dart and Flutter. Comment here, on social media, or via community forums; we value your thoughts and these conversations.

… Or continue building apps without AI, that’s totally valid too, and we welcome feedback on our developer roadmap in our previous post. For a deeper dive into our plans, you can view the full official 2026 Roadmap.

---

How Dart and Flutter are thinking about AI in 2026 was originally published in Flutter on Medium, where people are continuing the conversation by highlighting and responding to this story.