Explore the latest engineering posts and summaries

Search by topic, company, or concept and scan results quickly.

Posts indexed431

Last indexedMar 14, 2026

Cloudflare BlogMar 9, 2026

Fixing request smuggling vulnerabilities in Pingora OSS deployments

Why it matters: Request smuggling vulnerabilities can lead to critical security breaches like session hijacking and cache poisoning. For engineers using Pingora as an ingress proxy, upgrading to 0.8.0 is essential to ensure RFC compliance and prevent connection desynchronization attacks.

Cloudflare patched three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) in Pingora 0.8.0.
One flaw involved Pingora prematurely entering passthrough mode for Upgrade requests before receiving a 101 Switching Protocols response.
Vulnerabilities also stemmed from non-RFC-compliant interpretations of request bodies involving Transfer-Encoding in specific HTTP contexts.
These issues could allow attackers to bypass security controls, hijack user sessions, or poison caches in standalone Pingora deployments.
Cloudflare's CDN was unaffected due to architectural safeguards and internal proxy configurations that prevent these exploitation vectors.
Users of the Pingora framework are strongly urged to upgrade to version 0.8.0 to mitigate risks of connection desynchronization.

#security #sre

Read original

Cloudflare BlogMar 9, 2026

Complexity is a choice. SASE migrations shouldn’t take years.

Why it matters: Engineers can bypass the 'marathon of misery' of multi-year SASE deployments. By using programmable, identity-centric tools, teams can secure global infrastructure and AI workflows in weeks rather than years, reducing technical debt and improving performance.

Cloudflare One reduces SASE migration timelines from 18 months to 6 weeks by replacing legacy hardware-centric approaches with a software-defined connectivity cloud.
The platform utilizes identity-first on-ramps and consolidated policy engines to eliminate the 'trombone effect' and latency common in traditional service chaining.
Lightweight cloud-native connectors like cloudflared enable instant connectivity without requiring inbound firewall port changes.
The extensible edge allows for custom environment support, such as creating native services for Arch Linux to maintain consistent device posture checks.
Integrated AI security tools provide shadow AI visibility and Data Loss Prevention (DLP) to control sensitive data flow into LLMs.

#security #sre #dist

Read original

Pinterest EngineeringMar 6, 2026

Unified Context-Intent Embeddings for Scalable Text-to-SQL

Why it matters: Scaling Text-to-SQL in large enterprises fails with simple RAG due to schema complexity. By encoding historical analyst intent and governance metadata into embeddings, engineers can build agents that provide trustworthy, context-aware queries instead of just syntactically correct ones.

Pinterest evolved its Text-to-SQL system into a production Analytics Agent by focusing on analytical intent rather than just raw SQL syntax.
The system utilizes unified context-intent embeddings, which translate historical SQL queries into semantically rich natural language descriptions using LLMs.
A three-step pipeline injects domain context, such as glossary terms and metric definitions, before converting SQL to structured text summaries.
Retrieval is enhanced by structural and statistical patterns, extracting validated join keys and aggregation logic from historical query data.
A governance-aware ranking system prioritizes trustworthy data by incorporating table tiers, usage signals, and documentation quality from the PinCat catalog.
This approach addresses the challenges of a massive data warehouse by grounding AI outputs in patterns that have historically worked for human analysts.

#data #mlp

Read original

GitHub EngineeringMar 6, 2026

How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework

Why it matters: This framework enables engineers to leverage LLMs for deep security audits, moving beyond simple pattern matching to find complex logic flaws. By open-sourcing these taskflows, GitHub allows teams to automate high-quality vulnerability research and improve software supply chain security.

GitHub Security Lab's Taskflow Agent is an open-source framework that uses AI to perform deep security audits on codebases.
The framework utilizes YAML-based 'taskflows' to chain multiple LLM prompts, overcoming context window limitations and reducing hallucinations.
It automates repository decomposition by identifying entry points, intended privileges, and component purposes to provide structured context for analysis.
The system has successfully identified over 80 high-impact vulnerabilities, including complex authorization bypasses and PII disclosure issues.
Engineers can run audits via GitHub Codespaces, utilizing models like GPT or Claude to perform iterative, non-deterministic security scans.

#security #mlp

Read original

Netflix Tech BlogMar 6, 2026

Scaling Global Storytelling: Modernizing Localization Analytics at Netflix

Why it matters: Scaling localization requires moving from siloed data pipelines to a centralized architecture. By consolidating business logic and focusing on backend reliability, engineers reduce technical debt and ensure data consistency across global teams while unlocking granular user behavior insights.

Netflix modernized its localization analytics by consolidating fragmented pipelines and siloed dashboards into a unified backend architecture.
The team implemented a 'write once, read many' strategy, centralizing complex business logic into core tables to ensure data consistency across domains.
An audit of over 40 tools led to the prioritization of backend consolidation over frontend patches to reduce long-term maintenance burdens.
They addressed 'Not-So-Tech Debt' by improving the user experience and creating intuitive metrics like unified Language Asset Consumption.
Future initiatives include event-level analytics to capture granular data, such as subtitle reading speed, to optimize member engagement and style guidelines.

#data #culture

Read original

Cloudflare BlogMar 6, 2026

From the endpoint to the prompt: a unified data security vision in Cloudflare One

Why it matters: This unified approach addresses the 'endpoint-to-prompt' challenge, ensuring security policies follow data across tools and AI interfaces. For engineers, it simplifies visibility and control over sensitive information without sacrificing productivity or creating siloed security gaps.

Cloudflare One introduces browser-based RDP clipboard controls to manage data movement between local devices and remote sessions.
Operation mapping now enriches logs with specific SaaS actions, such as 'SendPrompt' in ChatGPT, to simplify policy authoring and forensic analysis.
Endpoint DLP is being integrated into the Cloudflare One Client to protect data in use, specifically monitoring and controlling OS clipboard activity.
New CASB integrations provide security scanning for Microsoft 365 Copilot, identifying sensitive data risks within AI-driven workflows.
The unified vision aims to secure data across its entire lifecycle: in transit, at rest, in use on endpoints, and at the AI prompt interface.

#security #data

Read original

GitHub EngineeringMar 5, 2026

60 million Copilot code reviews and counting

Why it matters: AI-driven code reviews are reaching massive scale, shifting from pattern matching to agentic reasoning. For engineers, this means faster PR cycles and higher-quality feedback, as tools now prioritize architectural context and actionable signals over generic linting or noise.

GitHub Copilot Code Review (CCR) now accounts for 20% of all reviews on the platform, totaling over 60 million reviews.
The system transitioned to an agentic architecture that uses tool-calling to retrieve repository context and reason across complex logic.
GitHub prioritizes high-signal feedback, with the AI remaining silent in 29% of cases to avoid developer fatigue and noise.
Performance is measured through a continuous evaluation loop focusing on accuracy, signal quality, and developer sentiment.
The team deliberately trades off latency for quality, accepting a 16% increase in review time for a 6% improvement in positive feedback.
The agentic design allows the system to understand repository-specific invariants and architectural logic rather than just syntax.

#mlp #culture

Read original

GitHub EngineeringMar 5, 2026

Scaling AI opportunity across the globe: Learnings from GitHub and Andela

Why it matters: This article highlights how structured AI integration in production workflows bridges the global talent gap. For engineers, it demonstrates practical strategies for using AI to navigate legacy systems, improve test coverage, and accelerate onboarding in high-stakes environments.

GitHub and Andela partnered to train 3,000 global engineers on GitHub Copilot through a structured AI Academy program.
The initiative focuses on 'learning inside real work,' integrating AI tools directly into production IDEs, PR reviews, and refactoring tasks.
Engineers use AI to accelerate orientation in legacy codebases by generating unit tests to establish coverage before modification.
The program addresses regional challenges such as unreliable connectivity, high compute costs, and the need for localized training content.
AI adoption is treated as a workflow integration rather than a standalone certification, ensuring tools are evaluated under real production constraints.
Key benefits reported include faster onboarding to unfamiliar systems and increased confidence when handling ambiguous or high-stakes tasks.

#culture #mlp

Read original

Salesforce EngineeringMar 5, 2026

How Data 360 Optimized Kubernetes Scheduling Architecture, Delivering 13% Cost Savings

Why it matters: Optimizing Kubernetes scheduling for bursty Spark workloads resolves the conflict between cost efficiency and job stability. By moving from reactive consolidation to proactive bin-packing, engineers can achieve significant cost savings without triggering disruptive pod evictions.

Salesforce's Data 360 team optimized Kubernetes scheduling for Spark workloads, managing 2 million daily applications at global scale.
The default LeastAllocated strategy caused node fragmentation by spreading executors across the cluster, leaving many nodes underutilized.
Reactive autoscaling with Karpenter led to job instability, as evicting executors for consolidation triggered expensive Spark task retries.
The team implemented a custom scheduler using the MostAllocated scoring strategy via the NodeResourcesFit plugin to prioritize high-density bin-packing.
This proactive placement logic ensures executors are packed onto existing nodes before spinning up new capacity, reducing fragmentation.
The architectural shift delivered a 13% reduction in infrastructure costs while maintaining high reliability for critical data workloads.

#data #finops #dist

Read original

Cloudflare BlogMar 5, 2026

Ending the "silent drop": how Dynamic Path MTU Discovery makes the Cloudflare One Client more resilient

Why it matters: Engineers often face 'zombie' connections caused by MTU mismatches and blocked ICMP feedback. By implementing active probing via QUIC, Cloudflare eliminates these silent failures, ensuring robust connectivity across diverse, unmanaged network infrastructures without manual tuning.

Cloudflare One Client now implements Dynamic Path MTU Discovery (PMTUD) to prevent 'black hole' packet loss and connection hangs.
Traditional PMTUD relies on ICMP messages that are frequently blocked by firewalls, leading to silent packet drops.
The new implementation follows RFC 8899, using active probing to interrogation the network path instead of relying on ICMP feedback.
Leveraging the MASQUE protocol and QUIC, the client sends encrypted probes of varying sizes to determine the optimal MTU.
The client dynamically resizes its virtual interface MTU on the fly, ensuring seamless transitions between different network environments like Wi-Fi and LTE.
This active discovery mechanism maintains session stability for mission-critical applications on restrictive or legacy infrastructure.

#security #dist

Read original

Page 3 of 44

Prev 1 2 3 4 5...44 Next