uv 0.11.19 + CPython 3.15, Spring AI 2.0 — Dev Signal
uv 0.11.19 + CPython 3.15, Spring AI 2.0
Share:
Tool of the Week
uv 0.11.19 adds CPython 3.15 beta support
Always compute SHA256 for remote distributions and add PyEmscripten platform (PEP 783) support for browser/WASM Python packaging.
SHA256 verification on all remote distributions hardens supply-chain security by default. PyEmscripten support unblocks Python packaging for browser environments without manual verification workarounds.
Drop-in upgrade for existing uv users. No breaking changes; CPython 3.15.0b2 support is additive. Worth updating now if you manage Python distributions or target WASM environments. Fixes cross-platform installation edge cases (Windows on non-Windows hosts).
“Always compute SHA256 for remote distributions (#19662)”
“Add PyEmscripten platform (PEP 783) (#19629)”
“Skip Unix-specific installation steps when cross-installing Windows Python distributions (#19424)”
Developers managing multi-project teams now sync code review guidelines once instead of per-project; native secrets storage cuts operational overhead of maintaining separate HashiCorp Vault or AWS Secrets Manager instances.
Group-level instructions replace project-level duplication immediately via .gitlab/duo/mr-review-instructions.yaml cascading. Secrets Manager requires Premium/Ultimate tier and explicit opt-in per group/project; still in open beta (not production-ready per policy). Start with review instructions now; defer secrets to stable release or test in non-production first.
“Group-level custom review instructions for GitLab Duo”
“you could only define custom review instructions for GitLab Duo at the project level. Teams working across many projects in the same group had to duplicate the same instructions in every project”
“GitLab Secrets Manager is now available in open beta for Premium and Ultimate customers on GitLab.com and GitLab Self-Managed”
“During open beta, GitLab Secrets Manager follows the beta support policy and might not be ready for production use”
“Most teams relied on external services such as HashiCorp Vault or AWS Secrets Manager”
3 issues a week · Free forever · 4,200+ developers
Spring AI 2.0 GA deprecates older Gemini models; six frameworks ship critical CVE fixes requiring immediate dependency updates.
Multiple frameworks expose deserialization and authentication bypasses—Spring HATEOAS, Kafka, and LDAP all ship urgent patches. Spring AI model enum changes break existing code pointing to GEMINI_2_0_FLASH and GEMINI_2_0_FLASH_LIGHT.
Upgrade Spring Boot, Spring Security, Spring AMQP, Spring Kafka, and Spring Vault immediately for CVE coverage. Audit Spring AI integration if using older Gemini models; migrate to GEMINI_3_1_PRO_PREVIEW. Spring Data 2026.0.0 adds type-safe property paths and Kotlin 2.3.20 support—worth adopting if targeting those versions. Test Vault's new path-handling abstractions (VaultClient, ReactiveVaultClient) before production migration.
“Spring AI 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades”
“deprecations of the GEMINI_2_0_FLASH, GEMINI_2_0_FLASH_LIGHT and GEMINI_3_PRO_PREVIEW enumerations in favor of a new GEMINI_3_1_PRO_PREVIEW enumeration”
“CVE-2026-41006, a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations”
“a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache”
“removal of the wildcard character from all Jackson message converters to "trust no one" by default”
“new VaultClient and ReactiveVaultClient, designed to provide an "intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage"”
pg_durable runs fault-tolerant long-running workflows as native SQL functions with built-in retry, checkpointing, and recovery—removing the need for separate job queues, schedulers, and orchestrators.
Developers can eliminate infrastructure glue (cron jobs, message queues, external orchestrators) by pushing workflow state directly into PostgreSQL. Execution survives crashes and resumes from checkpoints automatically, reducing distributed system complexity.
Replaces Temporal, external job schedulers, and async task queues for Postgres-native workloads. Requires PostgreSQL, Rust-based background worker, and DSL learning (~> and |=> operators). Ready now for vector pipelines and scheduled maintenance; production use depends on your tolerance for early-stage extensions.
“workflows are expressed directly in SQL, with the extension handling execution concerns such as retries, fan-out, and recovery”
“some app-tier workers, queue consumers, or scheduler glue can disappear entirely”
“If the database crashes, restarts, or a step fails, execution resumes from the last durable checkpoint”
“The extension persists function execution state in PostgreSQL tables, allowing workflows to survive crashes, restarts, and failovers”
Cornell researchers demonstrate that single user-generated comments with lexically similar text to queries reliably manipulate LLM outputs and citations—a trivial attack vector exploitable via content placement on Reddit, Wikipedia, and similar platforms.
If you build with RAG systems or integrate deep research agents, you're importing poisoned training data from UGC sites at scale. This breaks the reliability contract developers rely on when citing scraped sources, forcing you to either add adversarial filtering layers or distrust external citations entirely.
Replaces the assumption that UGC-sourced citations are trustworthy. Requires validation of cited content against author/domain reputation, deduplication of similar claims across sources, and lexical anomaly detection for suspiciously query-aligned text. Not production-ready until your retrieval pipeline includes poison detection—consider it now if you already cite Reddit/Wikipedia in agent outputs.
“a tiny snippet—just 13 words—of retrieved text on a UGC website like Reddit, Wikipedia, Quora, Facebook, etc. can change AI agents to output spam / scam content pretty consistently”
“a single poisoned Reddit comment can influence generated outputs for an entire cluster of related [AI] queries”
“deep research agents, which are the real-time scrapers that tools like Google AI search and ChatGPT use to retrieve web content with citations”
“one of the things that's critical is that if an 11-to-15-word snippet of text is very similar to the query, it can be particularly convincing to an LLM”
Auto selection now picks models by task intent and real-time health instead of forcing manual choice, using HyDRA routing that achieves 72.5% cost savings while maintaining quality.
Eliminates model selection friction in long agentic sessions and cuts token waste by matching task complexity to model capability. Prompt caching and deferred tool loading mean your context budget goes toward actual work, not repeated definitions.
Replaces manual model picker with automatic routing already live in VS Code, github.com, and mobile. Requires no developer action to enable—Auto is the default. Worth using now; Free and Student plans consolidating around it as only option. Cache-aware routing prevents mid-conversation thrashing that would negate savings.
“Prompt caching helps Copilot reuse model state for repeated prompt prefixes instead of recomputing the same prefix on every request.”
“In our evaluations, no single model consistently performed best across tasks.”
“Auto combines two signals: what model is healthy and available right now, and what kind of work Copilot is being asked to do.”
“HyDRA (Agg.) balances quality for 72.5% savings”
“routing accuracy stayed within four points of the English baseline across language groups, with no statistically significant quality gap”
“Auto is the strong default for many tasks because it chooses a model based on what you are trying to do”