jun 3, 2026
3 links from the engineering internet.
caddy v2.11.4 ships security patches and calls out ai slop reports
the web server's patch fixes a windows backslash path-matcher bypass, header-underscore collisions, and placeholder re-expansion in rewrites. maintainers say they rejected over 75% of recent security reports as ai-generated slop and started blocking the spammers.
deno v2.8.2 adds post-quantum crypto and a --bundle compile flag
the runtime ships ml-dsa and ml-kem post-quantum cryptography, a --bundle flag for deno compile, and rewrites the jupyter kernel in javascript to drop the zeromq dependency. it also re-enables quic 0-rtt and improves node compatibility.
django 6.0.6 and 5.2.15 patch five low-severity security issues
the security releases fix a signed-cookie salt collision (cve-2026-6873), unencrypted email when starttls fails (cve-2026-7666), and data exposure via case-sensitive cache-control headers (cve-2026-8404), among five low-severity issues.