<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Newsletter | TooMuchCoding</title><link>https://toomuchcoding.com/tags/newsletter/</link><atom:link href="https://toomuchcoding.com/tags/newsletter/atom.xml" rel="self" type="application/rss+xml"/><description>Newsletter</description><generator>Hugo Blox Builder (https://hugoblox.com)</generator><language>en-us</language><lastBuildDate>Sat, 04 Apr 2026 00:00:00 +0000</lastBuildDate><image><url>https://toomuchcoding.com/media/icon_hu_f2ec140971caa99.png</url><title>Newsletter</title><link>https://toomuchcoding.com/tags/newsletter/</link></image><item><title>Archive (Issues 1-15)</title><link>https://toomuchcoding.com/newsletter/archive/</link><pubDate>Fri, 19 Dec 2025 00:00:00 +0000</pubDate><guid>https://toomuchcoding.com/newsletter/archive/</guid><description>&lt;p&gt;Issues 1-15 were sent via MailerLite before the newsletter moved to the blog.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Issue #16</title><link>https://toomuchcoding.com/newsletter/16/</link><pubDate>Sat, 04 Apr 2026 00:00:00 +0000</pubDate><guid>https://toomuchcoding.com/newsletter/16/</guid><description>&lt;p&gt;Hi!&lt;/p&gt;
&lt;p&gt;Well, well, well. This week we&amp;rsquo;ve got Anthropic accidentally playing &amp;ldquo;show and tell&amp;rdquo; with Claude Code&amp;rsquo;s entire 500,000-line source repository, Spring Cloud dropping a fresh release that apparently beats performance optimization with a simple upgrade (I guess you could say that&amp;rsquo;s a &lt;em&gt;compile-time&lt;/em&gt; solution to a runtime problem - sorry, I&amp;rsquo;ll see myself out), and Grafana finally making Database Observability generally available.&lt;/p&gt;
&lt;p&gt;Grab a hot beverage and let&amp;rsquo;s go!&lt;/p&gt;
&lt;p&gt;I do hope that you&amp;rsquo;ll enjoy the reading!&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="shameless-self-promotion"&gt;Shameless self-promotion&lt;/h2&gt;
&lt;p&gt;Master distributed systems resilience in the age of AI agents. Over 40 students have already joined! Check out my &amp;ldquo;Generate, Break, Fix: Distributed Systems in the AI Era&amp;rdquo; workshop on Maven. Use promo code TOOMUCHCODING for $100 off (the $200 is gone 🤷‍♀️):
&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="toomuchcoding"&gt;TooMuchCoding&lt;/h1&gt;
&lt;h2 id="new-newsletter-distribution"&gt;New newsletter distribution&lt;/h2&gt;
&lt;p&gt;Setting the newsletter content in MailerLite by drag and drop is a nightmare. I endured 15 weeks but enough is enough.&lt;/p&gt;
&lt;p&gt;I&amp;rsquo;m a programmer, I can do markdown, I can do asciidoc. It always renders the way I want to! The WYSWIG never does!!!&lt;/p&gt;
&lt;p&gt;This is why starting from today I&amp;rsquo;m going to publish the newsletter on
and here.
will have just an introduction and a link here.&lt;/p&gt;
&lt;h2 id="corporate-workshops"&gt;Corporate workshops&lt;/h2&gt;
&lt;p&gt;I&amp;rsquo;ve successfully confirmed a group of around 40 students for a course similar to the one on Maven. If your company would like to run a &amp;ldquo;Generate, Break, Fix&amp;rdquo; workshop for your team - I&amp;rsquo;m open to the conversation. Just reach out via
or
.&lt;/p&gt;
&lt;h2 id="goto-interview"&gt;GOTO interview&lt;/h2&gt;
&lt;p&gt;I had this great privilege of being interviewed by my very good friend Jakub Pilimon about my &amp;ldquo;carrer&amp;rdquo;. If you want to check it out click
to see the YouTube video.&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="this-weeks-highlight"&gt;This Week&amp;rsquo;s Highlight&lt;/h1&gt;
&lt;h2 id="claude-code-source-code-accidentally-leaked-in-npm-package"&gt;Claude Code source code accidentally leaked in NPM package&lt;/h2&gt;
&lt;p&gt;Anthropic had what you might call a &amp;ldquo;source map incident.&amp;rdquo; The full 500,000-line source code for Claude Code CLI got exposed through a source map file bundled in an NPM package. The good news: no customer data or underlying model weights were compromised. The bad news: internal architecture and future AI model plans are now public knowledge. It&amp;rsquo;s the kind of mistake that makes security teams reach for their stress balls and coffee simultaneously.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; This is what happens when you forget that source maps are basically a roadmap to your entire codebase. At least they didn&amp;rsquo;t accidentally push their &lt;code&gt;.env&lt;/code&gt; file with hardcoded API keys - &lt;em&gt;that&lt;/em&gt; would have been a real tragedy. The lesson here: check your build artifacts before shipping, folks.&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="ai"&gt;AI&lt;/h1&gt;
&lt;h2 id="claude-code-source-leak-reveals-anthropics-plans"&gt;Claude Code Source Leak Reveals Anthropic&amp;rsquo;s Plans&lt;/h2&gt;
&lt;p&gt;The leaked code provides an unprecedented look into how Anthropic structures its tooling and where the company is headed with future AI development. This isn&amp;rsquo;t just about what Claude Code does today; it&amp;rsquo;s a window into the company&amp;rsquo;s technical strategy and architectural decisions. Security researchers and competitors have already started analyzing the leak for insights into model capabilities and planned features.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; Nothing says &amp;ldquo;competitive advantage&amp;rdquo; quite like open-sourcing your internal strategy. Though honestly, for large AI companies, this is more of an embarrassment than a catastrophe. The architecture is probably less interesting than the execution anyway.&lt;/p&gt;
&lt;h2 id="coding-agents"&gt;Coding Agents&lt;/h2&gt;
&lt;p&gt;AI-powered coding agents are becoming increasingly sophisticated, capable of handling complex software development tasks with minimal human intervention. These agents can write, test, and debug code with surprising competence, though they still struggle with the kind of contextual reasoning that experienced developers bring. This technology is fundamentally changing how teams think about code generation and software architecture.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; We&amp;rsquo;re watching the birth of the &amp;ldquo;code monkey&amp;rdquo; in digital form. Except these monkeys don&amp;rsquo;t get tired, don&amp;rsquo;t ask for raises, and occasionally hallucinate entire function implementations. What could possibly go wrong?&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="security"&gt;Security&lt;/h1&gt;
&lt;h2 id="telegram-0-click-vulnerability-detected"&gt;Telegram 0-Click Vulnerability Detected&lt;/h2&gt;
&lt;p&gt;Italy&amp;rsquo;s cybersecurity authority has identified a zero-click vulnerability in Telegram that could allow attackers to execute code without any user interaction. Zero-click vulnerabilities are particularly nasty because they require no social engineering or user involvement - an attacker simply sends a malicious message and boom, you&amp;rsquo;re compromised. This discovery underscores why even the most security-conscious platforms need continuous auditing.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; Zero-click vulnerabilities are the &amp;ldquo;I didn&amp;rsquo;t even have to try&amp;rdquo; category of exploits. They&amp;rsquo;re what keeps security engineers awake at 3 AM, staring at their ceiling wondering if their messaging app is about to become a botnet node.&lt;/p&gt;
&lt;h2 id="openai-codex-command-injection-vulnerability"&gt;OpenAI Codex Command Injection Vulnerability&lt;/h2&gt;
&lt;p&gt;A command injection vulnerability was discovered in OpenAI&amp;rsquo;s Codex that could potentially expose GitHub tokens and other sensitive credentials. This is the kind of bug that makes security researchers lose sleep - a code generation tool that can be tricked into running arbitrary commands. The vulnerability highlights the risks of trusting AI-generated code without rigorous sandboxing and validation.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; Remember when AI-generated code was supposed to make our lives easier? Turns out it can also make attackers&amp;rsquo; lives easier. The real lesson: don&amp;rsquo;t blindly execute code suggestions from any tool, AI or otherwise.&lt;/p&gt;
&lt;h2 id="ghostsurf-from-ntlm-relay-to-browser-session-hijacking"&gt;ghostsurf: From NTLM Relay to Browser Session Hijacking&lt;/h2&gt;
&lt;p&gt;Security researchers at SpecterOps detail an attack chain that moves from traditional NTLM relay attacks all the way to full browser session hijacking. This demonstrates how seemingly isolated vulnerabilities can be chained together into a devastating attack path that completely compromises user sessions. The research shows why understanding the full attack surface is critical to proper defense.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; NTLM relay to browser hijacking is like watching a master class in &amp;ldquo;how to ruin someone&amp;rsquo;s day.&amp;rdquo; It&amp;rsquo;s a beautiful attack chain in the most terrible way possible. The kind of thing that makes you want to re-evaluate every authentication mechanism your org uses.&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="jvm"&gt;JVM&lt;/h1&gt;
&lt;h2 id="java-news-roundup-graalvm-build-tools-eclipselink-spring-milestones-open-liberty-quarkus"&gt;Java News Roundup: GraalVM Build Tools, EclipseLink, Spring Milestones, Open Liberty, Quarkus&lt;/h2&gt;
&lt;p&gt;The JVM ecosystem continues its relentless march forward with GraalVM Native Build Tools reaching GA at 1.0.0 and JDK 27 entering early-access with build 15. Spring ecosystem projects are rolling out milestone releases, while GlassFish and Open Liberty are getting major maintenance updates. It&amp;rsquo;s the kind of week where you realize the Java platform never actually sleeps - it just keeps getting better in the background.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; GraalVM Native Build Tools hitting 1.0.0 is like watching a side project graduate to production status. The fact that we&amp;rsquo;re getting closer to truly native Java experiences means less memory overhead and faster startup times - which, let&amp;rsquo;s be honest, is what we&amp;rsquo;ve all wanted since 1995.&lt;/p&gt;
&lt;h2 id="jdk-27-early-access-release-notes"&gt;JDK 27 Early-Access Release Notes&lt;/h2&gt;
&lt;p&gt;JDK 27 is bringing post-quantum cryptography support with ML-KEM and ML-DSA private key encodings in PKCS #8 format. This forward-thinking approach acknowledges the reality that quantum computers might eventually break current cryptographic standards. While quantum computing is still in its infancy, Java is already preparing the foundation for a post-quantum world.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; Post-quantum cryptography support in JDK 27 is basically Java saying &amp;ldquo;we&amp;rsquo;ve got problems from the future, so let&amp;rsquo;s fix them now.&amp;rdquo; It&amp;rsquo;s refreshingly paranoid in the best way.&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="spring"&gt;Spring&lt;/h1&gt;
&lt;h2 id="spring-cloud-202502-aka-northfields-has-been-released"&gt;Spring Cloud 2025.0.2 (aka Northfields) Has Been Released&lt;/h2&gt;
&lt;p&gt;Spring Cloud 2025.0.2 is now GA and built on Spring Boot 3.5.13, bringing significant upgrades to sub-projects including Spring Cloud Netflix and Kubernetes support. A CVE patch for Spring Cloud Config is also included, so if you&amp;rsquo;re still on older versions, now&amp;rsquo;s a good time to think about upgrading. The release represents months of work from the team to keep the Spring Cloud ecosystem modern and secure.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; &amp;ldquo;Northfields&amp;rdquo; is a fun codename, though I&amp;rsquo;m pretty sure nobody on the Spring team is thinking about fields right now except for the ones in their data structures.&lt;/p&gt;
&lt;h2 id="we-tried-every-performance-trick-a-spring-boot-upgrade-beat-them-all"&gt;We tried every performance trick. A Spring Boot upgrade beat them all.&lt;/h2&gt;
&lt;p&gt;A team documented their journey through months of performance optimization - caching strategies, database tuning, algorithmic improvements - only to discover that upgrading to a newer Spring Boot version delivered better results than all their manual efforts combined. Lower CPU usage, reduced latency, and improved throughput came from a simple version bump. It&amp;rsquo;s a humbling reminder that sometimes the best optimization is letting experts do what they do.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; This is the software engineering equivalent of trying every home remedy for a cold only to have the doctor prescribe antibiotics that actually work. Turns out the Spring team knows something about performance. Who knew?&lt;/p&gt;
&lt;h2 id="grails-isnt-done-yet-part-2-eol-spring-boot-and-what-comes-next"&gt;Grails isn&amp;rsquo;t done yet, Part 2: EOL Spring Boot and what comes next&lt;/h2&gt;
&lt;p&gt;Grails developers need to pay attention: the framework&amp;rsquo;s ties to older Spring Boot versions mean legacy applications are sitting on increasingly unsupported dependencies. This article serves as a warning that staying on outdated Grails releases leaves you vulnerable and unsupported. The Grails team is working to move forward, but users need to actively upgrade or face the consequences.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; If you&amp;rsquo;re still running Grails on EOL Spring Boot versions, you&amp;rsquo;re not living on the edge - you&amp;rsquo;re just behind it. Time to upgrade before support disappears entirely.&lt;/p&gt;
&lt;hr&gt;
&lt;h1 id="observability"&gt;Observability&lt;/h1&gt;
&lt;h2 id="database-observability-now-generally-available"&gt;Database Observability now Generally Available&lt;/h2&gt;
&lt;p&gt;Grafana Labs has released Database Observability for MySQL and PostgreSQL as a generally available feature. Teams can now identify slow queries and analyze database performance directly within Grafana Cloud using Grafana Alloy. This integration removes friction from the database monitoring workflow and provides visibility into one of the most critical infrastructure components.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; Finally, a tool that recognizes that databases are part of your observability problem, not just the thing sitting behind your application hoping nobody notices when it gets slow. This is the kind of feature that makes ops teams actually smile.&lt;/p&gt;
&lt;h2 id="sustaining-opentelemetry-moving-from-dependency-management-to-stewardship"&gt;Sustaining OpenTelemetry: moving from dependency management to stewardship&lt;/h2&gt;
&lt;p&gt;Bloomberg and the CNCF are launching a mentorship cohort focused on OpenTelemetry sustainability. The program trains new contributors and reduces the operational burden on maintainers of a project that&amp;rsquo;s become critical infrastructure for observability. This is important work because OpenTelemetry doesn&amp;rsquo;t maintain itself - it needs active stewardship.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; OpenTelemetry has become so important that the entire industry is now realizing it needs proper funding and stewardship. Translation: we all benefited from open source for years and now we&amp;rsquo;re finally acknowledging the maintainers deserve support.&lt;/p&gt;
&lt;h2 id="erste-digital-transforms-observability-with-opentelemetry-and-a-unified-platform"&gt;Erste Digital transforms observability with OpenTelemetry and a unified platform&lt;/h2&gt;
&lt;p&gt;Erste Digital documented their migration from multiple observability tools to Grafana Cloud and OpenTelemetry, reducing tool sprawl and improving incident response capabilities. In a highly regulated environment like banking, consolidation and consistency are not just nice-to-haves - they&amp;rsquo;re requirements. This case study shows how modern observability platforms can simplify compliance and reduce operational overhead.&lt;/p&gt;
&lt;p&gt;
&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Marcin&amp;rsquo;s comment:&lt;/strong&gt; When a bank switches to a unified observability platform and incident response improves, you know you&amp;rsquo;re onto something. Turns out having one source of truth beats having seventeen dashboards in seventeen different systems.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;That&amp;rsquo;s all for now.&lt;/p&gt;
&lt;p&gt;Thanks again for being here, and see you in the next one.&lt;/p&gt;</description></item></channel></rss>