Until recently MySQL was the leading open source database across the world. However, PostgreSQL has become the default choice for many new projects and younger developers, thanks to its active community, rich feature set (especially extensions), and strong brand momentum. Earlier this month Oracle put out a blog post on how it plans to expand the community edition of MySQL. In response the MySQL community has now published an open letter inviting Oracle to join it in a conversation about establishing a non-profit foundation to support and ensure the future of the MySQL ecosystem. It argues that this would create… [Continue Reading]

Security experts have urged people to be cautious with the viral agentic AI tool, known for being highly capable but also wildly unpredictable.

Modern software is built on open source projects. In fact, you can trace almost any production system today, including AI, mobile, cloud, and embedded workloads, back to open source components. These components are the invisible infrastructure of software: the download that always works, the library you never question, the build step you haven’t thought about in years, if ever.

A few examples:

• curl moves data for billions of systems, from package managers to CI pipelines.
• Python, pandas, and SciPy sit underneath everything from LLM research to ETL workflows and model evaluation.
• Node.js, LLVM, and Jenkins shape how software is compiled, tested, and shipped across industries.

When these projects are secure, teams can adopt automation, AI‑enhanced tooling, and faster release cycles without adding risk or slow down development. When they aren’t, the blast radius crosses project boundaries, propagating through registries, clouds, transitive dependencies, and production systems, including AI systems, that react far faster than traditional workflows.

Securing this layer is not only about preventing incidents; it’s about giving developers confidence that the systems they depend on—whether for model training, CI/CD, or core runtime behavior—are operating on hardened, trustworthy foundations. Open source is shared industrial infrastructure that deserves real investment and measurable outcomes.

That is the mission of the GitHub Secure Open Source Fund: to secure open source projects that underpin the digital supply chain, catalyze innovation, and are critical to the modern AI stack. 

We do this by directly linking funding to verified security outcomes and by giving maintainers resources, hands‑on security training, and a security community where they can raise their highest‑risk concerns and get expert feedback. 

Why securing critical open source projects matters 

A single production service can depend on hundreds or even thousands of transitive dependencies. As Log4Shell demonstrated, when one widely used project is compromised, the impact is rarely confined to a single application or company.

Investing in the security of widely used open source projects does three things at once:

• It reinforces that security is a baseline requirement for modern software, not optional labor.
• It gives maintainers time, resources, and support to perform proactive security work.
• It reduces systemic risk across the global software supply chain.

This security work benefits everyone who writes, ships, or operates code, even if they never interact directly with the projects involved. That gap is exactly what the GitHub Secure Open Source Fund was built to close. In Session 1 & 2, 71 projects made significant security improvements. In Session 3, 67 open source projects delivered concrete security improvements to reduce systemic risk across the software supply chain.

---

Session 3, by the numbers

• 67 projects
• 98 maintainers
• $670,000 in non-dilutive funding powered by GitHub Sponsors
• 99% of projects completed the program with core GitHub security features enabled

Real security results across all sessions:

• 138 projects
• 219 maintainers
• 38 countries represented by participating projects
• $1.38M in non-dilutive funding powered by GitHub Sponsors
• 191 new CVEs Issued
• 250+ new secrets prevented from being leaked
• 600+ leaked secrets were detected and resolved
• Billions of monthly downloads powered by alumni projects

Plus, in just the last 6 months:

• 500+ CodeQL alerts fixed
• 66 secrets blocked

---

Where security work happened in Session 3

Session 3 focused on improving security across the systems developers rely on every day. The projects below are grouped by the role they play in the software ecosystem.

Core programming languages and runtimes 🤖

CPython • Himmelblau • LLVM • Node.js • Rustls

These projects define how software is written and executed. Improvements here flow downstream to entire ecosystems.

This group includes CPython, Node.js, LLVM, Rustls, and related tooling that shapes compilation, execution, and cryptography at scale.

For example, improvements to CPython directly benefit millions of developers who rely on Python for application development, automation, and AI workloads. LLVM maintainers identified security improvements that complement existing investments and reduce risk across toolchains used throughout the industry.

When language runtimes improve their security posture, everything built on top of them inherits that resilience.

Web, networking, and core infrastructure libraries 📚

Apache APISIX• curl• evcc • kgateway• Netty• quic-go• urllib3 • Vapor

These projects form the connective tissue of the internet. They handle HTTP, TLS, APIs, and network communication that nearly every application depends on.

This group includes curl, urllib3, Netty, Apache APISIX, quic-go, and related libraries that sit on the hot path of modern software.

Build systems, CI/CD, and release tooling 🧰

Apache Airflow • Babel • Foundry • Gitoxide • GoReleaser • Jenkins • Jupyter Docker Stacks • node-lru-cache • oapi-codegen • PyPI / Warehouse • rimraf  • webpack

Compromising build tooling compromises the entire supply chain. These projects influence how software is built, tested, packaged, and shipped.

Session 3 included projects such as Jenkins, Apache Airflow, GoReleaser, PyPI Warehouse, webpack, and related automation and release infrastructure.

Maintainers in this category focused on securing workflows that often run with elevated privileges and broad access. Improvements here help prevent tampering before software ever reaches users.

Data science, scientific computing, and AI foundations 📊

ACI.dev • ArviZ • CocoIndex • OpenBB Platform • OpenMetadata • OpenSearch • pandas • PyMC • SciPy • TraceRoot

These projects sit at the core of modern data analysis, research, and AI development. They are increasingly embedded in production systems as well as research pipelines.

Projects such as pandas, SciPy, PyMC, ArviZ, and OpenSearch participated in Session 3. Maintainers expanded security coverage across large and complex codebases, often moving from limited scanning to continuous checks on every commit and release.

Many of these projects also engaged deeply with AI-related security topics, reflecting their growing role in AI workflows.

Developer tools and productivity utilities ⚒️

AssertJ • ArduPilot • AsyncAPI Initiative • Bevy • calibre • DIGIT • fabric.js • ImageMagick • jQuery • jsoup • Mastodon • Mermaid • Mockoon • p5.js • python-benedict • React Starter Kit • Selenium • Sphinx• Spyder • ssh_config• Thunderbird for Android • Two.js • xyflow • Yii framework

These projects shape the day-to-day experience of writing, testing, and maintaining software.

The group includes tools such as Selenium, Sphinx, ImageMagick, calibre, Spyder, and other widely used utilities that appear throughout development and testing environments.

Improving security here reduces the risk that developer tooling becomes an unexpected attack vector, especially in automated or shared environments.

Identity, secrets, and security frameworks 🔒

external-secrets • Helmet.js • Keycloak • Keyshade • Oauth2 (Ruby) • varlock • WebAuthn (Go)

These projects form the backbone of authentication, authorization, secrets management, and secure configuration.

Session 3 participants included projects such as Keycloak, external-secrets, oauth2 libraries, WebAuthn tooling, and related security frameworks.

Maintainers in this group often reported shifting from reactive fixes to systematic threat modeling and long-term security planning, improving trust for every system that depends on them.

Security as shared infrastructure

One of the most durable outcomes of the program was a shift in mindset.

Maintainers moved security from a stretch goal to a core requirement. They shifted from reactive patching to proactive design, and from isolated work to shared practice. Many are now publishing playbooks, sharing incident response exercises, and passing lessons on to their contributor communities.

That is how security scales: one-to-many.

What’s next: Help us make open source more secure 

Securing open source is basic maintenance for the internet. By giving 67 heavily used projects real funding, three focused weeks, and direct help, we watched maintainers ship fixes that now protect millions of builds a day. This training, taught by the GitHub Security Lab and top cybersecurity experts, allows us to go beyond one-on-one education and enable one-to-many impact. 

For example, many maintainers are working to make their playbooks public. The incident-response plans they rehearsed are forkable. The signed releases they now ship flow downstream to every package manager and CI pipeline that depends on them.

Join us in this mission to secure the software supply chain at scale. 

• Projects and maintainers: Apply now to the GitHub Secure Open Source Fund and help make open source safer for everyone. Session 4 begins April 2026. If you write code, rely on open source, or want the systems you depend on to remain trustworthy, we encourage you to apply.
• Funding and Ecosystem Partners: Become a Funding or Ecosystem Partner and support a more secure open source future. Join us on this mission to secure the software supply chain at scale!

Thank you to all of our partners

We couldn’t do this without our incredible network of partners. Together, we are helping secure the open source ecosystem for everyone! 

Funding Partners: Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password

Ecosystem Partners: Atlantic Council, Ecosyste.ms, CURIOSS, Digital Data Design Institute Lab for Innovation Science, Digital Infrastructure Insights Fund, Microsoft for Startups, Mozilla, OpenForum Europe, Open Source Collective, OpenUK, Open Technology Fund, OpenSSF, Open Source Initiative, OpenJS Foundation, University of California, OWASP, Santa Cruz OSPO, Sovereign Tech Agency, SustainOSS

The post Securing the AI software supply chain: Security results across 67 open source projects appeared first on The GitHub Blog.

We’re continuing to modernize our IDEs, and in this update we’ve refreshed something you interact with constantly – the editor. These changes are designed to provide improved comfort, a cleaner look, and a more enjoyable experience during the hours you spend coding. We want to make the editor easier on the eyes, help you stay productive, and add a bit of fun variety.

What’s new

• New selection behavior: Selection now only highlights the actual text, not the blank space at the end of a line.
• New smooth caret movement: A new animation makes caret jumps easier to follow. This is a long-awaited request from our users.
• Smooth blinking and rounded caret: The editor now has a more modern look and feel, matching the recently introduced Islands UI theme.

New selection behavior

When working with code, you often have to select multiple lines at once, and it is important to be able to see what is included in the selection. The editor now highlights only the characters you actually selected, rather than the entirety of each line. This reduces the amount of blank blue space, making the selection itself clearer. It also removes ambiguity, letting you see exactly which characters are selected.

New smooth caret movement

This one has been on our wishlist for a long time. Like us, you work in the text editor every day, constantly navigating and modifying code. One way we’re making this experience more enjoyable is by introducing smooth, animated caret movement. You might not realize you need this until you try it. It enhances comfort and helps you stay oriented in your work, making the editor feel both more functional and visually pleasing.

At the same time, we recognize that excessive caret animations may give the impression of a delay when you’re typing and feel slow and unresponsive. We believe that typing must feel instantaneous, and we wanted to make sure to get it right. It is a significant challenge to introduce animations without breaking habits.

That’s why we built our own mode for caret movement – Snappy – which you won’t find in other editors. In this mode, the caret lands almost immediately where it should be and then settles with a smooth stop. The result feels quick yet smooth.

If you prefer clearly visible motion, there’s also Gliding mode, where the caret moves smoothly, making jumps easy to follow with your eyes. This option is similar to what you see in other popular text editors.

You can switch between movement modes using the Use smooth caret movement dropdown in Settings | Editor | General | Appearance. You can revert to the old behavior simply by disabling it.

Smooth blinking and rounded caret

We’ve also given the caret a new look. Its smooth blinking feels calmer and more modern. As a final touch, we rounded it to match rounded elements throughout the IDE in the Islands UI.

How to try it

These new features are all available in the latest early access builds of JetBrains IDEs, meaning there’s still time for us to adjust them based on your feedback. Give them a try and let us know what you think!

Try them in the IntelliJ IDEA EAP today

Confession time: I’ve read about the performance benefits of scroll-timeline(), but when I see an impressive JavaScript scrollytelling site like this one, it makes me question if the performance of old-school, main-thread scrollytelling is all that bad. The other shoe drops when the creators of that site admit they “ran into real limits,” and “mobile technically works, but it loses parallax and chops compositions,” to the extent that they “chose to gate phones to protect the first impression.” Put another way: they couldn’t get it working on mobile, and it sounds like JavaScript performance may have been one of the culprits.

The creator of another of my favorite scrolling experiments — which also uses JavaScript and also works best on desktop — called out that his text vortex section “would look better if it were applied for each character rather than each word, but that’s incredibly difficult to pull off using this same technique without incurring an astronomical performance impact.”

Challenge accepted.

He may have inadvertently created a realistic benchmark test for smoothly animating hundreds of divs based on scrolling.

That’s our cue to see if we can make a lookalike effect using modern CSS features to smoothly spiral every character in a string of text as the user scrolls down. To give the original text vortex some CSS sibling rivalry, let’s give the new sibling-index() function a whirl, although it is still waiting on Firefox support at the time of writing. Therefore, as a fallback for the CodePen below, you can also watch the video of the screen recording.

Confession #2: This uses some script

The only JavaScript is to split the text into a <div> for each character, but the animation is pure CSS. I could have hardcoded all the markup instead, but that would make the HTML annoying to read and maintain. The following script makes it easy for you to experiment with the pen by tweaking the text content.

const el = document.querySelector(".vortex");
el.innerHTML = el.innerHTML.replaceAll(/\s/g, '⠀');
new SplitText(".title", { type: "chars", charsClass: "char" });

The SplitText plugin referenced here is from the freely available GSAP library. The plugin is designed to be usable standalone outside GSAP, which is what’s happening here. It is nice and simple to use, and it even populates aria-label so screen readers can see our text, regardless of the way we tokenize it. The one complication was that I wanted every space character to be in its own <div> that I could position. The simplest way I could find was to replace the spaces with a special space character, which SplitText will put into its own <div>. If anyone knows a better way, I’d love to hear about it in the comments.

Now that we have each character living in its own <div>, we can implement the CSS to handle the spiral animation.

.vortex {
  position: fixed;
  left: 50%;
  height: 100vh;
  animation-name: vortex;
  animation-duration: 20s;
  animation-fill-mode: forwards;
  animation-timeline: scroll();

  .char {
    --radius: calc(10vh - (7vh/sibling-count() * sibling-index()));
    --rotation: calc((360deg * 3/sibling-count()) * sibling-index());

    position: absolute !important;
    top: 50%;
    left: 50%;
    transform: rotate(var(--rotation))
      translateY(calc(-2.9 * var(--radius)))
      scale(calc(.4 - (.25/(sibling-count()) * sibling-index())));
    animation-name: fade-in;
    animation-ranger-start: calc(90%/var(sibling-count()) * var(--sibling-index()));
    animation-fill-mode: forwards;
    animation-timeline: scroll();
  }
}

Spiral and fade the elements using sibling-index() and sibling-count()

We use the sibling-count and sibling-index functions together to calculate a gradual decrease for several properties of the characters when the sibling-index increases, using a formula like this:

propertyValue = startValue - ((reductionValue/totalCharacters) * characterIndex)

The first character starts near the maximum value. Each subsequent character subtracts a slightly larger fraction, so properties gradually dwindle to a chosen target value as the characters spiral inward. This technique is used to drive scale, rotation, and distance from the center.

If the goal had been to arrange the characters in a circle instead of a spiral, I would have used CSS trigonometric functions as demonstrated here. However, the spiral seemed simpler to calculate without trig. Evidently, the original JavaScript version that inspired my CSS text spiral didn’t use trig either. The scroll animation is relatively simple as it’s just scaling and rotating the entire parent element to give the illusion that the viewer is being sucked into the vortex.

The only animation applied to individual characters is fade-in which is delayed increasingly for each character in the string, using another variation on the usage of the ratio of sibling-index() to sibling-count(). In this case, we increment animation-range-start to stagger the delay before characters fade in as the user scrolls. It’s reminiscent of the infamous scroll-to-fade effect, and it makes me realize how often we reach for JavaScript just because it allows us to base styling on element indexes. Therefore, many JavaScript effects can likely be replaced with CSS once sibling-index() goes Baseline. Please do let me know in the comments if you can think of other examples of JavaScript effects we could recreate in CSS using sibling-index().

---

Spiral Scrollytelling in CSS With sibling-index() originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.