Builder's Briefing — April 15, 2026
GitHub Ships Stacked PRs — Finally Catching Up to How Teams Actually Ship Code
GitHub has officially launched gh-stack, a native stacked PRs workflow built into the GitHub CLI. If you've ever envied the Phabricator or Graphite workflow — where you break large changes into a chain of small, reviewable, dependent PRs — this is now a first-class citizen on GitHub. The tool handles rebasing the entire stack when you update a base PR, manages the dependency graph, and integrates with GitHub's review system. With 636 points and 351 comments on HN, the developer community is clearly hungry for this.
For builders shipping daily, this changes your review bottleneck. Instead of one monster PR that sits for three days, you ship a stack of 3-5 focused diffs that reviewers can approve incrementally. If you're running a team of 3-10 engineers, adopt this now — it directly reduces cycle time. Pair it with CI that runs on each PR in the stack independently and you've eliminated the 'waiting for review' excuse.
This also signals GitHub doubling down on developer workflow after years of focusing on Copilot and AI features. Combined with Jujutsu (jj) gaining serious traction as a Git replacement (400+ HN points today), the version control layer is getting its biggest shakeup in a decade. If you're evaluating dev tooling for a new team, try gh-stack on your existing GitHub repos this week — it's backward compatible and the learning curve is minimal.
30 WordPress Plugins Bought and Backdoored in Supply Chain Attack
An attacker purchased 30 legitimate WordPress plugins and injected backdoors into all of them via routine updates. If you ship anything on WordPress — or depend on any plugin ecosystem — this is your reminder that supply chain attacks now include legal acquisition of trusted packages. Audit your plugin list, pin versions, and monitor update diffs.
N-Day-Bench: Benchmarking LLMs at Finding Real Vulnerabilities
A new benchmark tests whether LLMs can discover known vulnerabilities in real codebases. If you're building AI-assisted security tooling or code review pipelines, this gives you a concrete evaluation framework — and the early results suggest LLMs are getting surprisingly competent at finding n-day bugs.
Google Cracks Down on Back Button Hijacking as Spam
Google's new spam policy explicitly penalizes sites that manipulate browser back-button behavior. If you're doing anything with history.pushState for marketing funnels or interstitials, audit now — this will tank your search rankings.
vLLM Continues to Dominate LLM Serving — Now Trending on GitHub
vLLM is trending again as the go-to inference engine for self-hosted LLMs. If you're serving models in production and not using vLLM (or evaluating it against TensorRT-LLM), you're likely leaving throughput and memory efficiency on the table.
Introspective Diffusion Language Models: A New Architecture Worth Watching
A research group proposes diffusion-based language models that can introspect on their own generation process. Still academic, but if you're building anything that needs controllable or steerable text generation, this architecture may offer better guarantees than autoregressive models.
Claude Code Routines: Programmable Workflows for AI Coding Agents
Anthropic published docs on Claude Code Routines — composable, repeatable task patterns you can define for Claude's coding agent. If you're using Claude Code in your workflow, routines let you encode your team's conventions (testing, migration patterns, code style) so the agent follows them consistently.
Microsandbox: Local Sandboxes Purpose-Built for AI Agents
A new open-source project provides secure, cross-platform sandboxes for running AI agent code locally. If you're building agents that execute arbitrary code, this is a lighter-weight alternative to full containerization with better security isolation.
Jujutsu (jj) Tutorial Gains Traction — Git's First Real Challenger
Steve Klabnik's Jujutsu tutorial hit 400 points on HN, signaling growing mainstream interest. jj is a Git-compatible VCS that treats every working copy change as a commit, eliminates the index/staging area, and makes rebasing trivial. If you're frustrated with Git's mental model, jj is production-ready and interoperates with existing Git repos.
psmux: Native tmux for Windows PowerShell, Written in Rust
Finally — a tmux-like multiplexer that works natively on Windows Terminal and PowerShell without WSL. If you're a Windows developer who's been jealous of tmux workflows, this is worth trying today.
Lean Proved This Program Correct — Then a Bug Was Found Anyway
A fascinating post-mortem on the gap between formal verification and real-world correctness. The bug was in the specification, not the proof. If you're relying on formal methods or AI-generated proofs, this is required reading on why specs themselves need adversarial review.
DuckDB Internals Deep Dive Now Available
DuckDB published detailed documentation on its internal design and implementation. If you're embedding DuckDB in your analytics stack or building on top of it, this is the reference for understanding query execution, storage layout, and extension points.
Backblaze Silently Stops Backing Up OneDrive and Dropbox Folders
Backblaze's personal backup product no longer covers cloud-synced folders from OneDrive and Dropbox — a major gap since many users' important files live there. If your team or product relies on Backblaze for backup, verify what's actually being covered right now. This also opens a niche for builders in the backup space.
DaVinci Resolve Launches a Free Photo Editor
Blackmagic added a full photo editor to DaVinci Resolve, free as always. If you're building creative tools or workflows, Blackmagic's strategy of giving away professional-grade software to sell hardware continues to raise the floor for what users expect at zero cost.
The version control and code review layer is getting rebuilt in real time — GitHub stacked PRs and Jujutsu both landed in the discourse today, and both directly reduce the friction between writing code and shipping it. If you're a team lead, try gh-stack this week; if you're an individual contributor tired of Git's sharp edges, spend an hour with jj. Meanwhile, the WordPress plugin supply chain attack is a stark reminder: if your product depends on any third-party plugin or package ecosystem, your threat model now includes 'attacker legally buys the dependency.' Pin versions, diff updates, and consider SBOMs seriously.