WEBVTT NOTE The Rundown — nextbig.dev daily audio edition, 2026-04-15 1 00:00:00.000 --> 00:00:03.786 Hey everyone, welcome to Builder's Briefing for April 15th, 2026. I'm Alex, joined as always by Sam. And today — version control is having a moment. 2 00:00:03.786 --> 00:00:08.927 Honestly, it's about time. We've got GitHub shipping stacked PRs, a serious Git challenger gaining traction, a gnarly WordPress supply chain attack, and some cool AI tooling updates. Let's get into it. 3 00:00:08.927 --> 00:00:16.651 Alright, the big story. GitHub has officially launched gh-stack — native stacked PRs built right into the GitHub CLI. If you've ever used Graphite or the old Phabricator workflow where you break a big change into a chain of small, dependent, reviewable PRs — that's now a first-class feature on GitHub. 4 00:00:16.651 --> 00:00:22.509 Finally. I mean, this has been one of those things where everyone knew the right way to do it, but the tooling just wasn't there natively. You'd either bolt on Graphite or wrestle with manual branch management and it was painful. 5 00:00:22.509 --> 00:00:30.106 Exactly. And the numbers tell the story — over six hundred points and three hundred fifty comments on Hacker News. People are hungry for this. The tool handles rebasing the entire stack when you update a base PR, manages the dependency graph, integrates with GitHub's review system. It just works. 6 00:00:30.106 --> 00:00:39.058 Right, and what's wild is how directly this hits cycle time. Instead of one monster PR that sits in review for three days because nobody wants to look at a thousand-line diff, you ship a stack of three to five focused changes. Reviewers can approve incrementally. Pair that with CI running on each PR independently and suddenly the bottleneck shifts. 7 00:00:39.058 --> 00:00:47.576 And here's the bigger picture — this dropped on the same day that Steve Klabnik's Jujutsu tutorial hit four hundred plus points on Hacker News. Jujutsu, or jj, is a Git-compatible version control system that fundamentally rethinks the mental model. Every working copy change is a commit, there's no staging area, rebasing is trivial. 8 00:00:47.576 --> 00:00:54.456 So the version control layer is getting its biggest shakeup in like a decade, basically on the same day from two different directions. GitHub improving the workflow on top of Git, and jj potentially replacing Git underneath. That's a fascinating moment for dev tooling. 9 00:00:54.456 --> 00:00:59.546 If you're a team lead, try gh-stack this week — it's backward compatible with your existing repos. If you're an IC frustrated with Git's sharp edges, spend an hour with jj. Both are production-ready. 10 00:00:59.546 --> 00:01:04.329 Okay, shifting to security — and this one's a wake-up call. An attacker purchased thirty legitimate WordPress plugins and then injected backdoors into all of them through routine updates. 11 00:01:04.329 --> 00:01:07.782 Wait — purchased them. Like, legally acquired the plugins and then pushed malicious updates to everyone who already had them installed? 12 00:01:07.782 --> 00:01:16.325 That's exactly what happened. Your threat model now has to include 'attacker legally buys the dependency.' This isn't some zero-day exploit or compromised credentials — it's an acquisition. If you ship anything on WordPress or really depend on any plugin ecosystem, audit your plugin list, pin your versions, and monitor update diffs. 13 00:01:16.325 --> 00:01:22.925 That's interesting because it's not even WordPress-specific, right? This same attack vector works for npm packages, VS Code extensions, browser extensions — anywhere there's a marketplace where ownership can transfer. It makes SBOMs feel a lot less optional. 14 00:01:22.925 --> 00:01:30.445 Absolutely. And on a lighter security note — there's a new benchmark called N-Day-Bench that tests whether LLMs can find known vulnerabilities in real codebases. Early results suggest they're getting surprisingly competent at finding n-day bugs, which is both promising and a little terrifying. 15 00:01:30.445 --> 00:01:34.205 Promising if you're building AI-assisted code review, terrifying if you think about who else has access to these models. Dual-use all the way down. 16 00:01:34.205 --> 00:01:40.599 Alright, AI and models. vLLM is trending on GitHub again as the go-to inference engine for self-hosted LLMs. If you're serving models in production and you haven't evaluated vLLM, you're probably leaving throughput and memory efficiency on the table. 17 00:01:40.599 --> 00:01:48.119 Yeah, vLLM just keeps pulling ahead. The PagedAttention approach they use for memory management is kind of the reason everyone gravitates to it. If you're comparing it against TensorRT-LLM, vLLM tends to win on flexibility even if TensorRT sometimes edges it on raw speed for specific hardware. 18 00:01:48.119 --> 00:01:55.665 Two more AI items worth flagging. Anthropic published docs on Claude Code Routines — basically composable, repeatable task patterns you define for the coding agent. So you can encode your team's conventions around testing, migration patterns, code style, and the agent follows them consistently. 19 00:01:55.665 --> 00:02:01.190 Oh, that's huge for teams actually using Claude Code day to day. The difference between a helpful AI and a reliable one is exactly this — being able to say 'here's how we do things' and have it stick across sessions. 20 00:02:01.190 --> 00:02:08.914 And there's a new open-source project called Microsandbox that provides secure local sandboxes purpose-built for AI agents executing arbitrary code. Lighter weight than full containerization, better security isolation. If you're building agents that run code, worth checking out — link in the briefing. 21 00:02:08.914 --> 00:02:15.104 On the dev tools front — beyond the Jujutsu story we already covered — there's a fascinating post-mortem making the rounds about Lean, the proof assistant. Someone formally proved a program correct using Lean, and then a bug was found anyway. 22 00:02:15.104 --> 00:02:17.048 Okay, wait. If it was formally proved correct, how does it still have a bug? 23 00:02:17.048 --> 00:02:23.033 The bug was in the specification, not the proof. The proof was perfect — it just proved the wrong thing. Which is a really important lesson, especially as we see more AI-generated proofs. Your specs themselves need adversarial review. 24 00:02:23.033 --> 00:02:31.091 That's almost philosophical. You can have a flawless proof of a flawed assumption. I feel like that's a metaphor for half the software industry. Also — quick shout-out to psmux, a tmux-like terminal multiplexer that works natively on Windows PowerShell without WSL, written in Rust. Windows devs, your day has come. 25 00:02:31.091 --> 00:02:36.488 Alright, quick hits. DaVinci Resolve now has a free photo editor built in — Blackmagic keeps giving away professional-grade software to sell hardware, and it keeps raising the bar for what users expect for free. 26 00:02:36.488 --> 00:02:38.687 Their strategy is wild. Just keep making everyone else's paid product look overpriced. 27 00:02:38.687 --> 00:02:45.568 We've also got Aphyr with a piece on how AI-generated work creates a future built on lies — thought-provoking read. Thousands of rare concert recordings just hit the Internet Archive. And someone built a Jellyfin client for the Nintendo Wii, because of course they did. 28 00:02:45.568 --> 00:02:48.740 Okay, WiiFin is the kind of project that reminds me why I love this industry. Completely unnecessary, completely delightful. 29 00:02:48.740 --> 00:02:55.364 So here's the takeaway for today. The code review and version control layer is being rebuilt in real time. GitHub stacked PRs and Jujutsu both landed in the discourse on the same day, and both directly reduce the friction between writing code and shipping it. 30 00:02:55.364 --> 00:03:02.603 And on the security side, the WordPress plugin attack is a template for what's coming across every ecosystem. If your product depends on third-party packages, your threat model now includes legal acquisition as an attack vector. Pin versions, diff your updates, take SBOMs seriously. 31 00:03:02.603 --> 00:03:06.849 That's the briefing for April 15th. Try gh-stack this week, give jj a look, and audit your dependencies. We'll be back tomorrow with more. Until then — keep building. 32 00:03:06.849 --> 00:03:07.1000 See you all tomorrow. Ship small, ship often.