Starting today, we’re opening a preview to give developers an opportunity to test OpenAI o1-preview and o1-mini, hosted on Azure, in both GitHub Copilot and Models. Sign up to get access to use OpenAI o1 in GitHub Copilot Chat with Visual Studio Code and in the playground with GitHub Models.

OpenAI o1 is a new series of AI models equipped with advanced reasoning capabilities, trained to think through complex tasks using an internal thought process. During our exploration of using o1-preview with GitHub Copilot, we found the model’s reasoning capability allows for a deeper understanding of code constraints and edge cases produced a more efficient and higher quality result. And o1-preview’s deliberate and purposeful responses made it easy to pinpoint problems and quickly implement solutions.

Now, you can test it out and start building on GitHub with o1-preview and o1-mini. During the preview, you can choose to use o1-preview or o1-mini to power Copilot Chat in VS Code in place of the current default model, GPT-4o. Toggle between models during a conversation, moving from quickly explaining APIs or generating boilerplate code to designing complex algorithms or analyzing logic bugs. Using o1-preview or o1-mini with Copilot gives you a first-hand look at the new models’ ability to tackle complex coding challenges.

You can also test either of the o1 models in the playground in GitHub Models to discover their unique capabilities and performance. And once you’re familiar with how the models work, take the next step and start to integrate the models into your own apps.

With this preview, we’re excited to bring OpenAI’s latest advancements to you, whether you’re developing software along with Copilot or building the next great LLM-based product. We can’t wait to see what you build!

The post Try out OpenAI o1 in GitHub Copilot and Models appeared first on The GitHub Blog.

Database systems have been fundamental to information technology, supporting everything from basic applications to intricate enterprise systems. They play a crucial role in organizing, storing and retrieving large volumes of data, enabling informed decision-making and strategic planning.

As technology has progressed, database technology has evolved to address the growing complexity and diversity of data management needs — starting with structured SQL databases, moving to NoSQL databases and now advancing to vector databases. Each stage marks a shift in the way data is stored, retrieved and managed. While each database type is tailored for specific applications, the common goal remains: to store, retrieve and manage data efficiently and effectively.

SQL Databases: The Foundation of Structured Data

SQL databases, also known as relational databases, were the first widely adopted database systems, emerging in the 1970s with the development of IBM‘s System R and the theoretical foundation provided by Edgar F. Codd. These databases are built on a structured schema that defines tables, rows and columns to store data. The image below shows an example of a customer table in a relational database.

This rigid structure ensures data integrity and enforces relationships between different data entities.

Let’s take a look at the strengths and limitations of SQL databases.

Strengths of SQL Databases

• ACID compliance: SQL databases guarantee transactions’ atomicity, consistency, isolation and durability, making them ideal for applications where data integrity is paramount.
• Complex querying: The structured nature of SQL databases allows for complex queries using SQL (Structured Query Language), which can join multiple tables and retrieve specific data.
• Mature ecosystem: With decades of development, SQL databases like MySQL, PostgreSQL and Oracle offer robust support, tools and community resources.

Limitations of SQL Databases

• Scalability challenges: SQL databases often face difficulties with horizontal scaling because they were initially designed to operate on a single server or a closely connected cluster. Although modern SQL databases now support horizontal scaling, implementing and managing them can still be more complex compared to some NoSQL alternatives.
• Rigid schema: The need to define a schema upfront is a limitation in scenarios where the data structure evolves over time or when dealing with unstructured data.

Despite these limitations, SQL databases remain the go-to choice for applications with well-defined data relationships, such as financial systems, ERP systems and inventory management.

The NoSQL Revolution: Embracing Flexibility and Scalability

In response to the changing needs of modern applications, particularly those requiring handling large volumes of unstructured and semi-structured data such as social media posts, sensor data and web content, NoSQL databases emerged in the early 2000s. Unlike SQL databases, NoSQL databases do not require a fixed schema, allowing them to store data more flexibly.

NoSQL databases come in various forms, including document databases like CouchDB, key-value stores like etcd, column-family stores like Cassandra and graph databases like Neo4j. Take a look at these types of NoSQL databases in the image below:

Strengths of NoSQL Databases

• Horizontal scalability: NoSQL databases are designed to scale out by distributing data across multiple servers, making them ideal for handling large-scale, high-traffic applications.
• Schema flexibility: The lack of a fixed schema allows for rapid iteration and the ability to store unstructured or semi-structured data, such as JSON, XML or even multimedia files.
• High availability: Many NoSQL databases prioritize availability and partition tolerance, often sacrificing strict consistency in favor of greater uptime and fault tolerance.

Limitations of NoSQL Databases

• Eventual consistency: Some NoSQL databases use eventual consistency models, which can lead to temporary discrepancies in data.
• Lack of standardization: The absence of a standard querying language like SQL makes it challenging to work across different NoSQL systems.

NoSQL databases have become the backbone of many modern web applications, big data platforms and real-time analytics systems, offering the flexibility and scalability that SQL databases often lack.

Vector Databases: Powering the Next Generation of AI

We have seen that the rise of unstructured and semi-structured data led to the rise of No-SQL databases. In modern times, the need to address the complexities and nuances of gaining insights into unstructured data has led to the emergence of new types of databases called vector databases. These databases are specifically designed to store and query vector embeddings, which are mathematical representations of unstructured data like text, images and audio.

What Are Vector Databases?

Vector databases are optimized for managing vector data, which differs from traditional databases’ structured rows and columns. Instead of storing text or numbers in a table, vector databases store dense, high-dimensional vectors generated by AI models. These vectors capture the essence of unstructured data, allowing for powerful similarity searches and data retrieval. A good example of a vector database is Milvus, which is the most popular vector database in terms of GitHub stars. Take a look at the image below that shows how a flower is represented in high-dimensional vectors.

A crucial feature of vector databases is the approximate nearest neighbor (ANN) search. ANN search enables the system to quickly find vectors most similar to a given query vector, which is essential for applications like image retrieval, recommendation systems and natural language processing.

For instance, an image search engine can retrieve images visually similar to a query image based on the distance between their vector representations in a high-dimensional space. The closer the vectors of an image stored in the vector database are to the query image, the more likely the two images are visually similar.

Benefits of Vector Databases

Vector databases offer several key advantages that make them indispensable in AI-driven applications. Let us take a look at some of these benefits:

1. Scalability: Vector databases such as Milvus are designed to handle vast amounts of vector data, making them ideal for large-scale AI applications. They can scale horizontally, distributing data across multiple nodes to ensure high availability and fault tolerance.
2. Efficiency in high-dimensional search: Traditional databases struggle with the complexity of high-dimensional data. Vector databases, on the other hand, are built specifically to perform efficient similarity searches on such data, enabling quick and accurate retrieval of relevant vectors.
3. Integration with AI pipelines: Vector databases seamlessly integrate with machine learning models and AI pipelines, facilitating the storage, retrieval and processing of vector data. This integration is crucial for developing end-to-end AI solutions that require real-time data processing and analysis.
4. Enhancing AI with context: In retrieval-augmented generation (RAG) systems, vector databases store domain-specific knowledge externally, supplying the large language model relevant context during generation. This reduces hallucinations in large language models (LLMs) and improves the accuracy of their outputs, especially in applications requiring precise, context-aware responses.

Since RAG is a trending technology, let’s take an in-depth look at how vector databases power this technology.

Vector Databases and Retrieval-Augmented Generation (RAG)

One of the most innovative applications of vector databases is retrieval-augmented generation (RAG), a technique that enhances the capabilities of LLMs by augmenting them with external knowledge. RAG systems combine LLMs’ generative power with vector databases’ retrieval capabilities to produce more accurate and contextually relevant responses.

In a RAG system, the vector database retrieves relevant information that can guide the large language model’s output. For example, when a user queries the system, a vector database retrieves documents or embeddings related to the query. These retrieved vectors provide context or specific information the language model uses to generate a more informed and precise response. This integration is valuable in applications such as customer support, where the ability to provide accurate and context-sensitive responses is critical.

Take a look at the following guide to understand how RAG is used in conjunction with vector databases to build AI apps

• Build a Multimodal RAG with Gemini, BGE-M3, Milvus and LangChain
• How to Evaluate RAG Applications

Differences Between SQL, NoSQL and Vector Databases

For a more concise comparison between SQL, NoSQL and vector databases, take a look at the table below:

We have now examined the evolution of database technology to date. Let us now see what the future of databases might be like.

The Future of Database Technologies

The future of databases lies in the convergence of AI, big data and advanced search capabilities. Vector databases are set to lead this evolution, providing the backbone for AI-driven applications that require high-dimensional data search.

As technologies like RAG mature, databases will integrate more deeply with AI pipelines, enhancing real-time data processing and context-aware responses across industries. This shift will democratize AI, making advanced capabilities more accessible and driving innovation across sectors​.

If you would like to get started learning about how vector databases work and how they power our everyday lives, take a look at this Vector Database 101 series guide.

Conclusion

The evolution of database technology from SQL to NoSQL to vector databases reflects the changing needs of data management in an increasingly complex and data-rich world. SQL databases laid the foundation with their structured approach, ensuring data integrity and enabling complex queries.

NoSQL databases brought flexibility and scalability to handle large volumes of unstructured data, driving modern web applications and real-time analytics. Now, vector databases are emerging as a critical tool in AI-driven applications, powering advanced similarity search capabilities and enhancing AI models with contextual understanding.

As technology advances, vector databases such as Milvus and Zilliz Cloud, fully managed Milvus, will play a pivotal role in the future of AI and data management, offering new ways to store, retrieve and analyze data. The continued integration of AI with databases promises to unlock even greater possibilities, making data-driven insights more accessible and impactful across industries.

The post SQL, NoSQL and Vectors, Oh My! appeared first on The New Stack.

New extension pack bundles wildly popular tools for Python development, assisted by the AI-powered GitHub Copilot and a data wrangler.

JavaScript has once again retained its title as the top programming language in Stack Overflow’s annual developer survey (overall, not just for web development), fending off rivals like Rust, but that doesn’t mean it’s airtight and invulnerable.

On the contrary — JS is validated client-side, which means hackers are continuously developing new ways to exploit vulnerabilities and stay one step ahead of devs and security experts.

So, in this article, we’ll tackle the vulnerabilities and attack vectors causing the most headaches for JavaScript developers. And by the looks of it, these issues will stay hot topics well into 2025 and possibly beyond.

JavaScript: Security Concerns and Challenges

In 2023, a particularly nasty JavaScript malware was unleashed on 40 banks and 50,000 users across the world. It was delivered via phishing and generated fake login pages, equipped with malicious JS code designed to snatch OTPs (one-time passwords) and other login data.

This case, and many others similar to it, highlights the fact that even something as ubiquitous as JS can be prone to exploits.

First comes reputational loss, of course. But if a threat actor exploits a JS vulnerability and manages to access user data, especially if it’s kept in the form of MS 365 backups or on a Google Drive that is poorly protected, the consequences could be calamitous.

The exploited website may be culpable for any financial loss if such an incident occurs. Not to mention, relevant authorities will take a closer look at the site and check for any other violations.

To make things even worse, there are thousands of third-party JS libraries, each with various known vulnerabilities that threat actors can exploit with varying degrees of difficulty. These risks can be amplified if web owners fail to implement relevant security policies such as CSP and SRI, since JavaScript environments don’t have built-in security permissions as standard.

The point is: if you don’t care about shoring up your JS code for security purposes, the costs will be dizzying!

7 JavaScript Vulnerabilities To Watch Out For In 2025

Threat actors are turning to new and more advanced techniques to bypass existing security protocols and turn JS into their golden goose. At the same, some old threats are still looming in the background.

1. Advanced Cross-Site Scripting Attacks (XSS)

An XSS attack involves a hacker injecting malicious scripts into a website and can be achieved in several ways. Once injected, the script typically executes malware that infects the website or the user’s machine when they access the website or application.

The goal is to steal sensitive information or modify the website to conduct malicious activity. This attack often targets banks, financial institutions, and websites that handle financial transactions.

It can be a sneaky way for cybercriminals to read bank statements, record the entry of financial details (sniffing), and find vulnerabilities to attack either the end-user or the financial institution itself.

2. Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) forces authenticated end users to execute unintended actions. It’s often delivered via social engineering techniques such as sending a link in an email, web chat, or SMS text, tricking users into transferring funds or entering financial details.

This technique can be even more disastrous if it compromises a user who has a high level of access, potentially compromising the entire application and all its users. To make things even worse, AI-generated attacks muddy the waters by making it harder to discern fake pages from real ones.

Thus, the most effective method for preventing CSRF attacks, other than educating web users on the risk of social engineering, is to include CSRF tokens within relevant requests. These tokens enforce strict criteria that are uniquely tied to each user session, preventing malicious actors from striking.

3. Server-Side JavaScript Injection (SSJI)

Server-side code injection vulnerabilities are present in web applications that integrate user-controllable data in a string that is dynamically validated by a code interpreter.

If the data is not validated correctly, threat actors can modify the input and inject arbitrary code that is then executed on the server. If successful, this type of attack can compromise an entire application in terms of both data and functionality — and even use the webserver to launch additional attacks on other systems.

To prevent SSJI attacks, user-controllable data should not be incorporated in dynamically evaluated code. If this isn’t possible then all code needs to be strictly validated, preferably using a whitelist that only accepts specific values.

4. Formjacking

An old threat, formjacking can still result in data theft with relative ease. All that’s needed is a shoddy codebase, and the following happens:

1. Attackers typically inject a small piece of JS code into the website’s form-handling processes.
2. When a user submits the form, the malicious JS intercepts the data and sends it to the attacker’s server before (or instead of) sending it to the legitimate destination.
3. The user and the website owner are often unaware of the theft, as the form behaves normally.

Formjacking is a growing concern, particularly for e-commerce websites or any web applications that handle sensitive user information through forms. The only way to combat this well-known risk is to run regular integrity checks and offer users one-time payment options for e-commerce.

5. Prototype Pollution

Prototype pollution is a JS vulnerability that allows threat actors to add arbitrary properties to global object prototypes, which user-defined objects can also inherit. These prototypes can then be used to allow or override object behaviors.

To initiate the attack, threat actors must identify JS functions or DOM elements that enable arbitrary code execution.

After exploiting these global objects, hackers can control properties in a web application that would otherwise have been unattainable, allowing them to launch attacks from within.

In a scenario where the client-side JavaScript has been exploited, the hacker will likely attempt a DOM XSS. Meanwhile, server-side, prototype pollution is generally used to conduct remote code execution.

6. Insecure Direct Object References (IDOR)

Insecure direct object references (IDOR) mainly affect web applications that rely on user-supplied input to access objects and database records.

This incorrect access control implementation can result in these controls being redirected, granting unauthorized access to the threat actor. Think of a Node.js-built app accessing user IDs from a database and things only spiraling from there.

How to combat IDOR attacks? Well, developers should avoid using direct object references when building a JS application, and instead implement user input validation, globally unique identifiers (GUIDs), and random identifiers to prevent IDOR vulnerabilities.

7. Supply Chain Attacks

Supply chain attacks target third-party tools and services used to provide web functionality. An example of this is third-party libraries that contain pre-written scripts to make developing websites and applications easier.

As a result, indirect attacks target the dependencies that connect a third-party tool to an application, such as those that power AI chatbots or allow a website to accept payments.

A threat actor will usually target a specific vendor, adding malicious code to their software which is then rolled out to clients when they install an update. Because the client trusts the source, these attacks can successfully infiltrate in huge numbers.

The June 2024 attack using the Polyfill.io JS library is perhaps the most recent example of this type of attack occurring. While the obvious solution is to focus on well-known open source libraries, this also stifles innovation by slowing down the adoption of newer, more efficient JS libraries.

Conclusion

The benefits of JavaScript when building websites and web applications are evident, but the programming language’s widespread popularity also brings risks. As JavaScript is validated client-side, the process of securing apps becomes more difficult.

Many of these vulnerabilities are created when the application is developed, with mistakes such as incorrect input validation and the use of user-controllable data being two of the most common errors.

However, some attacks require more advanced mitigation techniques such as the use of security tokens. Stay safe out there.

The post Most Dangerous JavaScript Vulnerabilities To Watch For in 2025 appeared first on The New Stack.

Developers in multiple industries have faced issues due to system modifications or updates that were implemented without comprehensive review and testing. The evaluation of new software, code, or alterations in network configurations needs to be executed in a secure environment that shields the broader organization from potential dangers. Without adequate separation, testing environments can become targets for hackers seeking to access customer information.

ISVs use change controls to prevent unauthorized or untested changes from adding security risks to an app ecosystem. Having these safeguards in place can help prevent outages, disruptions, data loss, or corruption, making systems more susceptible to cyberattacks.

Change controls are the processes and procedures to manage changes in an organization’s systems or software. Validating that any requested changes have been carefully considered and documented. This involves evaluating how the change will affect system security, outlining recovery steps in case of issues, and specifying the testing required to confirm the change’s effectiveness.

Change controls help to minimize the risk of system outages and potential security incidents through improper changes being introduced. Ensuring that all changes are effectively managed, peer-reviewed, and adequately tested to validate apps are secure.

Microsoft 365 Certification validates change controls are in place

Microsoft 365 Certification validates that changes introduced to an app’s production environments are implemented through documented change requests. These change requests must contain information about the impact of the change, details of back-out procedures, testing to be carried out, and review and approval by authorized personnel.

Developers provide evidence showing that the approval process is being followed, which can be demonstrated with signed documents, tracking within change control systems, or using tools like Azure DevOps or JIRA to track requests and authorization.

Auditors will review evidence that development and testing/staging environments are distinctly separate, ensuring error reduction through stringent boundaries. Access controls are established to prevent unauthorized alterations or data leaks, and sensitive information is excluded from the testing area.

Next steps

To learn more on how Microsoft 365 Certification validates change controls are in place for your application, visit the Microsoft 365 Certification change controls evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.

The post Microsoft 365 Certification control spotlight: Change controls appeared first on Microsoft 365 Developer Blog.

Today, we're excited to share details about our latest experiment that aims to make your search results in Stack Overflow for Teams Enterprise even more relevant and useful.