MaxBytes Middleware in Go: The Same Trap, Again
https://destel.dev/blog/max-bytes-middleware-in-go
Most of my API accepts small JSON payloads, so a strict global limit is a sane default. File uploads need a couple of orders of magnitude more. And the obvious solution – overriding the limit with another middleware on that route – fails in exactly the same way. Silently.
https://destel.dev/blog/max-bytes-middleware-in-go
Building Agents in Go Without a Framework
https://blog.getzep.com/agentic-development-in-go
A production agent is a long-running, concurrent, I/O-bound process that spends most of its time waiting on a model, a tool, or a human. That shape fits Go's runtime. This post explains why, surveys the Go framework options, and shows how to build an agent without one.
https://blog.getzep.com/agentic-development-in-go
Привет, на связи Таня Коровкина из ШОРТКАТ. Ментор по алгоритмам и backend-разработчик
Каждый месяц тысячи разработчиков совершают одни и те же ошибки на алгоритмических интервью 🚩
И продолжают готовиться... не к тому.
6 июля(понедельник) в 19:00 (МСК) проведу вебинар и покажу, что на самом деле оценивает интервьюер и какие ошибки чаще всего приводят к отказу
• дам практические советы, которые можно использовать уже на следующем собеседовании
• расскажу про специфику российского BigTech
🤘 Это бесплатно. Эфир проходит в рамках менторской программы от ШОРТКАТ для разработчиков, которые хотят повысить свой грейд, ЗП и прокачать скиллы.
Переходи в нашего бота, чтобы получить ссылку на эфир → @shortcut_go_bot
Реклама.
О рекламодателе.
Please open Telegram to view this post
VIEW IN TELEGRAM
gopls's Model Context Protocol (MCP) Server
https://go.dev/gopls/features/mcp
Gopls includes an experimental built-in server for the Model Context Protocol (MCP), allowing it to expose a subset of its functionality to AI assistants in the form of MCP tools.
https://go.dev/gopls/features/mcp
hasp
https://github.com/gethasp/hasp
HASP is a local secret broker for coding agents.
Agents need credentials to run tests, call APIs, and deploy code. Copying those credentials into prompts, shell history, .env files, or repo-local notes makes the agent faster today and harder to trust tomorrow. HASP keeps secrets in a local encrypted vault and gives commands only the values they are allowed to use at runtime.
The core rule is:
Managed secret values must not enter agent context.
https://github.com/gethasp/hasp
router
https://github.com/workweave/router
Model router for agentic systems. Routes every prompt to the right model in <50ms. Cut costs 40-70% with just an endpoint change.
https://github.com/workweave/router
Shard your locks: benchmarking 6 Go cache designs
https://strebkov.dev/posts/shard-your-locks
TL;DR: Shard your locks. A 256-way striped map (sharded) was the all-around winner — up to 8× faster than a single sync.Mutex at 8 cores — and it’s about 15 lines of code. sync.RWMutex, the reflexive fix for “reads are contended,” is a trap: it barely helps reads past two cores and is slower than a plain mutex for writes.
https://strebkov.dev/posts/shard-your-locks
Excessive nil pointer checks in Go
https://konradreiche.com/blog/excessive-nil-pointer-checks-in-go
Let’s talk about nil pointer checks in Go. You want to prevent panics in production, but that doesn’t start with a deferred recover. It starts with defensive programming. Check your inputs, check your bounds, and check pointers for nil before dereferencing them.
I’ve started to see more nil checks in Go code. In the right place, they are necessary for writing safe code. In the wrong place, they are a sign that the code has stopped being clear about what can and cannot be nil. I have noticed this pattern more in generated code, but this symptom is not new and is not limited to AI.
When a nil check is cheap and prevents a panic, why not add it? Your reflex may be, let’s just be safe. But the check also tells the next reader something, and often the wrong thing.
https://konradreiche.com/blog/excessive-nil-pointer-checks-in-go
Channel iteration and goroutine leak
https://rednafi.com/go/channel-iteration-goroutine-leak
I ran into the classic “range over a channel” leak while working on a custom cron scheduler. I’ve debugged it on prod many times before, but writing one myself in a small piece of code reminded me how easy it is to write bugs like this even when you know about it.
https://rednafi.com/go/channel-iteration-goroutine-leak
Excelize v2.11.0: an important release with security fixes for XLSX reading, lower memory usage, and improvements to formulas, charts, and pivot tables. Includes breaking changes: Go 1.25+ is now required, and some chart/shape APIs were changed.
https://github.com/xuri/excelize/releases/tag/v2.11.0
https://github.com/xuri/excelize/releases/tag/v2.11.0
Don't run SQL migrations in tests: How I sped up the test suite by 2x
https://gaultier.github.io/blog/I_sped_up_the_test_suite_by_x2.html
We have a giant test suite at work, mostly in Go. The test coverage is great, but it means that it's not that fast to run, and it only will get slower over time as new tests are added. Almost every test needs a pristine database. We are spending a ton of CPU time just applying again and again the same SQL migrations at the start of each test.
https://gaultier.github.io/blog/I_sped_up_the_test_suite_by_x2.html
I taught a bucket to speak git
https://www.tigrisdata.com/blog/objgit
What happens if I just point a git server at an object storage bucket?
Back when I was porting agent sandboxes to Go, I built everything on top of billy, a filesystem abstraction for Go. The whole trick of the project was teaching a Tigris bucket to act enough like a filesystem that a shell interpreter and its tools couldn’t tell the difference. Billy was the key layer that made the entire façade fall into place.
After I had gotten things working, I learned that I’m using billy way outside its normal usecase. It was originally made for go-git, a pure-Go implementation of git’s protocols and data formats. It doesn’t rely on the /usr/bin/git binary existing at all. Every method on billy’s filesystem interface exists purely because go-git needs it. This gave me a terrible idea: I already have a bucket that can quack like a filesystem and go-git’s native language is “filesystem”.
Can this Just Work™? Let's find out.
https://www.tigrisdata.com/blog/objgit
nodecore
https://github.com/drpcorg/nodecore
A fault-tolerant, API-agnostic RPC load balancer for blockchain APIs.
https://github.com/drpcorg/nodecore
Socket-Activation for a Go HTTP service. Part 1: On Linux with systemd.
https://poweruser.blog/socket-activation-for-a-go-http-service-part-1-on-linux-with-systemd-0e530ed463a3
How to make systemd run a Go HTTP service only when needed to save cpu/memory.
https://poweruser.blog/socket-activation-for-a-go-http-service-part-1-on-linux-with-systemd-0e530ed463a3
How much do amd64 microarchitecture levels help in Go?
https://lemire.me/blog/2026/06/06/how-much-do-amd64-microarchitecture-levels-help-in-go
Our 64-bit Intel and AMD processors have evolved over decades. When you compile a Go program for a 64-bit Intel or AMD processor, the compiler targets, by default, a nearly 20-year-old instruction set. The binary that comes out runs on essentially any x64 chip, but it also leaves on the table every instruction that was added since 2003.
https://lemire.me/blog/2026/06/06/how-much-do-amd64-microarchitecture-levels-help-in-go
Golang code review notes II
https://www.elttam.com/blog/golang-code-review-notes-ii
A couple of years ago we published a blog post with the intention to create a resource that code auditors and security-minded engineers can refer to when auditing or developing Golang projects.
In that post we covered some bug classes that we have often seen during our own Golang code auditing projects.
Thanks to the second law of thermodynamics time only keeps moving forward, and as any decently supported modern programming language, Go has seen a lot of changes and improvements since our first blog post.
So we decided to create this follow-up post with the same idea in mind.
Since out first post, automated tooling and AI assistants have raised the floor for code review: a lot of the obvious bugs now get caught on the first pass, by anyone. But that floor is also where most reviewers stop, because the tooling stops there too — the rules only flag what they already know to look for. What separates an experienced auditor is knowing the language's sharp edges that no rule covers yet, and going looking for them deliberately.
In this post, first we will start with a quick look at what changes have been made to the language to make security easier and more intuitive for folks (with no particular selection criteria on what we're going to cover).
Then we have a bunch of new footguns we would like to highlight, hopefully to the benefit of everyone auditing or developing Golang projects.
Finally, we are also releasing a couple of semgrep rules to close the gap regarding these risky coding patterns.
The rules can be found in our Semgrep rules repository.
With the introduction out of the way, first let's see what are some of the features that were introduced Golang with a major impact on its security landscape.
https://www.elttam.com/blog/golang-code-review-notes-ii
Reading Wi-Fi data from Go on macOS after Apple removed airport
https://dev.to/jaisonerick/reading-wi-fi-data-from-go-on-macos-after-apple-removed-airport-19g
If you've ever needed your script or your Go program to read the SSID, BSSID, signal strength, or channel of the Wi-Fi network a Mac is on, the last two years have not been kind.
https://dev.to/jaisonerick/reading-wi-fi-data-from-go-on-macos-after-apple-removed-airport-19g
Discovering and navigating through Go linkname compiler directives
https://dnaeon.github.io/golinkname
One interesting compiler directive is linkname, which allows us to declare a symbol in one package, which happens to be an alias for a symbol in another package. The symbol to which we link can even be an unexported symbol, allowing us to break the encapsulation rules as a whole and make a package-internal symbol exported via another symbol in a different package.
https://dnaeon.github.io/golinkname
🤖 ИИ врёт в проде
А ещё может ломать процессы, уводить данные не туда и уверенно предлагать неверные решения.
⭐ Слёрм запускает БЕСПЛАТНУЮ вечернюю школу «ИИ для инженеров: польза и риски».
Это серия онлайн-занятий о том, как использовать ИИ в инженерной работе осознанно, безопасно и с понятной пользой.
🧩 Будем разбирать реальные инженерные сценарии:
— как ИИ помогает DevOps-, SRE- и infrastructure-командам
— как использовать LLM для алёртов, инцидентов, логов, тикетов и документации
— где ИИ реально экономит время, а где создаёт новые риски
— как проверять результат модели и не ловить галлюцинации в проде
— что делать с безопасностью, данными, compliance и юридическими ограничениями
— как встроить ИИ в рабочий процесс, а не просто иногда спрашивать у него команды.
🧩 В программе шесть онлайн-занятий с практиками из ИТ:
— ИИ для разбора метрик и шумных алёртов
— автофикс проблем прода с ИИ
— ИИ-агенты в бизнес-задачах
— юридические риски использования ИИ
— LLM в SOC и борьба с alert fatigue
— инженерное мышление в эпоху LLM
Школа подойдёт DevOps-, SRE-, infrastructure-, platform- и security-инженерам, а также всем, кто уже пробовал ИИ в работе и хочет понять, как использовать его системнее и безопаснее.
📅 Старт — 21 июля.
💸 Участие бесплатное, занятия проходят онлайн.
👉🏻 Узнать подробнее и зарегистрироваться в боте
Реклама. ООО "Слерм", ИНН: 3652901451, erid: 2VtzqvHNKJS
А ещё может ломать процессы, уводить данные не туда и уверенно предлагать неверные решения.
Это серия онлайн-занятий о том, как использовать ИИ в инженерной работе осознанно, безопасно и с понятной пользой.
🧩 Будем разбирать реальные инженерные сценарии:
— как ИИ помогает DevOps-, SRE- и infrastructure-командам
— как использовать LLM для алёртов, инцидентов, логов, тикетов и документации
— где ИИ реально экономит время, а где создаёт новые риски
— как проверять результат модели и не ловить галлюцинации в проде
— что делать с безопасностью, данными, compliance и юридическими ограничениями
— как встроить ИИ в рабочий процесс, а не просто иногда спрашивать у него команды.
🧩 В программе шесть онлайн-занятий с практиками из ИТ:
— ИИ для разбора метрик и шумных алёртов
— автофикс проблем прода с ИИ
— ИИ-агенты в бизнес-задачах
— юридические риски использования ИИ
— LLM в SOC и борьба с alert fatigue
— инженерное мышление в эпоху LLM
Школа подойдёт DevOps-, SRE-, infrastructure-, platform- и security-инженерам, а также всем, кто уже пробовал ИИ в работе и хочет понять, как использовать его системнее и безопаснее.
📅 Старт — 21 июля.
💸 Участие бесплатное, занятия проходят онлайн.
👉🏻 Узнать подробнее и зарегистрироваться в боте
Реклама. ООО "Слерм", ИНН: 3652901451, erid: 2VtzqvHNKJS
Please open Telegram to view this post
VIEW IN TELEGRAM
Special Cases in Go
https://www.dolthub.com/blog/2026-05-22-special-cases-in-go
Golang is often touted as a “simple” language by design, deliberately eschewing features that would add complexity. The language design is openly opinionated but avoids baking those opinions into the spec. It’s why core design patterns like errors and context objects are implemented in the standard library instead of being built into the language. While special syntax for these types could decrease boilerplate, it would also make the language more complex in a way that violates the design philosophy of the language.
The language designers would argue that there’s elegance in simplicity. That Golang doesn’t need special cases.
But that’s not the complete story. It turns out that Golang actually does have “special cases” in order to allow for behavior that can’t otherwise be expressed in the language.
Today we’re going to look at some of those special cases.
https://www.dolthub.com/blog/2026-05-22-special-cases-in-go