What is the Anthropic and SpaceX compute deal announced on May 6, 2026?

On May 6, 2026, Anthropic announced a partnership with SpaceX to use the entire compute capacity at SpaceX's Colossus 1 data center. The deal gives Anthropic over 300 megawatts of capacity and more than 220,000 NVIDIA GPUs available within the month. Anthropic used the new capacity to double Claude Code's five hour rate limits for Pro, Max, Team, and seat based Enterprise plans, remove the peak hours limit reduction for Pro and Max accounts, and significantly raise the Claude Opus API rate limits. The deal sits alongside Anthropic's earlier compute commitments with Amazon, Google and Broadcom, Microsoft and NVIDIA, and Fluidstack. Anthropic also said it is exploring multiple gigawatts of orbital AI compute capacity with SpaceX.

Why did Cloudflare lay off 1,100 employees on May 7, 2026?

Cloudflare announced on May 7, 2026 that it is reducing its workforce by approximately 1,100 employees, around 20 percent of staff, alongside Q1 2026 results showing 639.8 million dollars in revenue (up 34 percent year over year) that beat the 622 million dollar estimate. CEO Matthew Prince framed the cuts as a transition to an agentic AI-first operating model, citing internal AI usage that surged more than 600 percent in the past three months. Prince said the company is keeping product builders and sellers but cutting support functions behind those teams. Cloudflare expects 140 to 150 million dollars in restructuring charges, mostly recognized in Q2 2026. The stock fell 24 percent on the day despite the earnings beat.

What is AWS Bedrock AgentCore Payments?

AWS announced Amazon Bedrock AgentCore Payments in preview on May 7, 2026 in partnership with Coinbase and Stripe. The fully managed service lets AI agents make stablecoin micropayments for APIs, MCP servers, web content, and other paid resources. When an agent receives an HTTP 402 response from a paid resource, AgentCore handles x402 protocol negotiation, wallet authentication, stablecoin payment, and proof delivery without breaking the agent's reasoning loop. Coinbase provides CDP wallet integration and the x402 Bazaar MCP server with over 10,000 endpoints. Stripe provides Privy wallet infrastructure. Session level spending limits are enforced at the infrastructure layer with end to end observability through standard AgentCore logs, metrics, and traces. The preview is available in US East (N. Virginia), US West (Oregon), Europe (Frankfurt), and Asia Pacific (Sydney).

What is new in Cursor 3.3 released on May 7, 2026?

Cursor 3.3 shipped on May 7, 2026 with three headline features. First, a new PR review experience inside the agents window with a Reviews tab for inline review threads and top level PR comments, a Commits tab for focused commit history, and a Changes tab with a file tree and changes picker for navigating larger PRs. Second, Build in Parallel, which identifies independent parts of a plan and runs them simultaneously using async subagents while keeping dependent steps in order. Third, Split PRs, a quick action that uses chat context to identify logical slices, defaults to independent PRs unless dependencies exist, takes a backup snapshot, and proposes a split plan for approval. The release also lets you pin skills as quick action pills, control Explore subagent behavior in settings, and adds the slash multitask command to the editor.

What did OpenAI ship between May 4 and May 10, 2026?

OpenAI had a busy week. On May 5, GPT-5.5 Instant became the new default model in ChatGPT and the API chat-latest alias, with OpenAI claiming a 52.5 percent reduction in hallucinated claims versus GPT-5.3 Instant on high stakes prompts in medicine, law, and finance, and a 37.3 percent reduction in inaccurate claims on flagged conversations. On May 7, OpenAI shipped three new audio models in the API: GPT-Realtime-2 with GPT-5 class reasoning, GPT-Realtime-Translate covering 70 input languages and 13 output languages, and GPT-Realtime-Whisper for streaming speech to text. Also on May 7, OpenAI scaled Trusted Access for Cyber and rolled out GPT-5.5-Cyber in limited preview for cybersecurity defenders, with phishing resistant security required by June 1. The same day OpenAI rolled out Trusted Contact, an optional safety feature that lets adult ChatGPT users assign an emergency contact for serious mental health concerns. May 5 and May 7 also saw new ad surfaces with New ways to buy ChatGPT ads and Testing ads in ChatGPT.

What changed in Node.js 26.1.0 and the Next.js May security release?

Node.js 26.1.0 shipped on May 7, 2026 with an experimental node:ffi module for loading dynamic libraries and calling native symbols from JavaScript behind the experimental-ffi flag, plus improvements across Buffer, crypto, debugger, filesystem, HTTP, process, stream, and the test runner. The same day, Vercel published Next.js 15.5.18 and 16.2.6, an emergency security release that addressed 13 advisories including denial of service, middleware and proxy bypass, server side request forgery, cache poisoning, and cross site scripting. All users on 13.x, 14.x, 15.x, and 16.x are advised to upgrade. Cloudflare also shipped an emergency WAF rule the same day for CVE-2026-44575, the Next.js middleware bypass affecting App Router applications. React 19.0.6 on May 6 added type hardening and patched a denial of service in React Server Components (CVE-2026-23870).

Dev Weekly May 4-10, 2026: Anthropic-SpaceX Compute Deal, Cloudflare Cuts 1,100, AWS Agent Payments, Cursor 3.3

Q: What is Grok 4.3 from xAI?

xAI released Grok 4.3 on May 6, 2026. It features built in reasoning as a permanent state, a 1 million token context window, and agentic tool use. Pricing is 1.25 dollars per million input tokens and 2.50 dollars per million output tokens. The same day xAI shipped connectors for SharePoint, Outlook, OneDrive, Google Workspace, Notion, GitHub, and Linear, plus the Grok Imagine Quality Mode API and custom voices and a voice library. xAI also announced that on May 15 it will deprecate grok-4-1-fast-reasoning, grok-4-fast-reasoning, grok-3, and grok-code-fast-1, directing users to migrate to Grok 4.3.

A heavier news week than the date alone suggests. Anthropic locked in SpaceX’s Colossus 1 supercluster on May 6 and used the new compute to double Claude Code rate limits the same day. Cloudflare beat Q1 2026 estimates on May 7 and immediately announced 1,100 layoffs in what CEO Matthew Prince called an agentic AI-first operating model, sending the stock down 24 percent. AWS shipped two pieces of agent infrastructure: the AWS MCP Server went GA on May 6, and Bedrock AgentCore Payments launched in preview on May 7 with Coinbase and Stripe so agents can pay each other in stablecoins. Cursor 3.3 brought the PR review loop into the agents window, added Build in Parallel, and split PRs from chat context. OpenAI updated the ChatGPT default model, dropped three new realtime voice models, and scaled cyber defender access. xAI launched Grok 4.3 with a 1M context. Google shipped Agent Identity, Agent Gateway, and 80 Agentic Data Cloud updates. Node.js 26.1.0 added experimental FFI. Next.js patched 13 advisories in an emergency release. And the security side stayed loud with three CISA KEV additions, including a SQL injection in BerriAI LiteLLM. Here is everything that mattered.

Developer Tools & Platforms

OpenAI Updates ChatGPT to GPT-5.5 Instant -

On May 5, OpenAI rolled out GPT-5.5 Instant as the new default ChatGPT model and as chat-latest in the API. The headline number is 52.5 percent fewer hallucinated claims than GPT-5.3 Instant on high stakes prompts covering medicine, law, and finance, plus 37.3 percent fewer inaccurate claims on flagged conversations. GPT-5.5 Instant is also tighter, with 30.2 percent fewer words and 29.2 percent fewer lines on the example shown in the launch post. The model is better at analyzing photo and image uploads, STEM questions, and deciding when to run web search. Personalization across past chats, connected files, and Gmail is rolling to Plus and Pro on the web first, then Free, Go, Business, and Enterprise. GPT-5.3 Instant stays available to paid users for three months under model configuration settings before retirement.

OpenAI Ships Three New Realtime Audio Models -

On May 7, OpenAI introduced three new audio models in the API. GPT-Realtime-2 brings GPT-5 class reasoning to a voice model for handling complex requests and natural conversation. GPT-Realtime-Translate is a live translation model that accepts more than 70 input languages and produces 13 output languages. GPT-Realtime-Whisper is a streaming speech to text model that transcribes live as a user speaks. The set covers the three patterns OpenAI is pushing for voice: voice to action, systems to voice, and voice to voice.

OpenAI Scales Trusted Access for Cyber and Trusted Contact -

Also on May 7, OpenAI rolled out GPT-5.5-Cyber in limited preview for cybersecurity defenders, behind verified access. Phishing resistant security is required by June 1. The same day, OpenAI introduced Trusted Contact, an optional safety feature that lets adult ChatGPT users nominate an emergency contact for serious mental health and self harm concerns. The notification is intentionally limited and does not include chat transcripts. OpenAI also published Testing ads in ChatGPT on May 7 and New ways to buy ChatGPT ads on May 5, the first explicit ad surfaces inside ChatGPT itself.

Google Cloud Ships Agent Identity GA and Agentic Data Cloud Updates -

On May 6, Google Cloud rolled out a set of IAM updates for the agentic era. Agent Identity is now a first class principal type in IAM, built on the SPIFFE standard and generally available for Agent Runtime, with preview availability in the Gemini Enterprise Agent Platform. Agent Gateway adds policy enforcement for agent to agent and agent to tool connections, with Identity-Aware Proxy (IAP) for Agents in preview. The same day Google introduced its Agentic Data Cloud with around 80 product updates, including Knowledge Catalog for metadata management, Cross-Cloud Lakehouse so BigQuery and AI features can run against AWS and Azure data, and Spanner Omni for disconnected edge and on premises deployments.

Gemini API File Search Goes Multimodal -

On May 5, Google updated the Gemini API File Search endpoint with three additions. Multimodal support means it can process images and text together. Custom metadata filtering helps teams organize unstructured data inside the same store. Page level citations give grounding back at the page rather than the document level. Less glue code for grounded retrieval pipelines.

Anthropic Releases Ten Financial Services Agent Templates -

On May 5, Anthropic shipped ten ready to run agent templates for financial services and insurance, available as Cowork and Claude Code plugins. The set includes pitch builders, earnings reviewers, valuation reviewers, and a general ledger reconciler. Even outside finance the templates are useful as reference architectures for long running, document heavy agent work.

GitHub Copilot Cloud Agent Gets Org-Level Secrets and Variables -

On May 8, GitHub gave Copilot cloud agent its own dedicated Agents secrets and variables, sitting next to the existing Actions, Codespaces, and Dependabot types. You can now configure secrets and variables at the organization level for the first time and share them across selected repositories, instead of duplicating per repo Copilot environment configs. There is a separate Agents section in repository settings for repository scoped values. Earlier in the week GitHub also shipped Enterprise managed plugins for the Copilot CLI in public preview on May 6, and on May 7 Rubber Duck in the Copilot CLI added support for more models including Claude as the critic agent. GitHub also posted retirement notices for Grok Code Fast 1 (May 15), GPT-4.1 (June 1), and Claude Sonnet 4 (May 7) in the Copilot model picker.

Claude Code Ships Three Releases in the Window -

Claude Code shipped multiple iterations between May 4 and May 9. v2.1.128 on May 4 updated the slash model picker, fixed MCP server issues, and rolled in bug fixes. v2.1.133 on May 7 added worktree settings, sandbox configuration options, and credential and proxy fixes. v2.1.136 then landed with stability fixes, improved auto mode rules, and further MCP server work. If you are pinning a known good version in CI, the May 7 release is the most stable point in the window.

Cloudflare Workers Add Stream Bindings -

On May 7, Cloudflare added Stream Bindings for Workers. Workers can now interact with the Cloudflare Stream video library programmatically, without the authenticated REST API calls that used to be required. Cloudflare also shipped IPv6 CIDR routes for Cloudflare Mesh on May 6, enabling IPv6 only and dual stack private networks.

Snowflake 10.16, Databricks Runtime 18.2, Lakeflow Pipelines GA -

Snowflake 10.16 shipped on May 4. The notable addition is general availability of data quality checks by group, where data metric functions can be associated with tables or views using a WITHIN GROUP clause for segment level monitoring. The same day on the Databricks side, Databricks Runtime 18.2 hit general availability and the Lakeflow Pipelines Editor reached GA. May 5 added beta managed ingestion connectors for Outlook and GitHub plus automatic identity management for syncing users and groups from identity providers. May 7 shipped faster package installs through %uv pip in serverless notebooks.

Kubernetes v1.36 Declarative Validation Reaches GA -

On May 5, the Kubernetes project posted a blog confirming Declarative Validation for native types is now GA in v1.36 (Haru). The new framework replaces thousands of lines of handwritten validation code with a unified system that uses +k8s: marker tags. The full v1.36 release was on April 22 but the Declarative Validation GA blog landed in window and is the piece most likely to affect day to day CRD authors.

Security

Next.js Emergency Security Release Patches 13 Advisories -

On May 7, Vercel published Next.js 15.5.18 and 16.2.6 as an emergency security release. The patches cover 13 advisories across denial of service, middleware and proxy bypass, server side request forgery, cache poisoning, and cross site scripting. Every user on 13.x, 14.x, 15.x, and 16.x is asked to upgrade. Cloudflare published a same day emergency WAF rule for CVE-2026-44575, the Next.js middleware bypass affecting App Router applications, as defense in depth ahead of the framework patch landing in production.

React 19.0.6 Patches RSC Denial of Service -

On May 6, React 19.0.6 shipped with type hardening and a fix for CVE-2026-23870, a denial of service in React Server Components. The patch was also released on the 19.1 and 19.2 lines. Anyone running RSC in production should pull the patch.

CISA Adds Three High-Severity CVEs to KEV in Window -

CISA added three vulnerabilities to the Known Exploited Vulnerabilities catalog inside the window, all under active exploitation. CVE-2026-6973 in Ivanti EPMM is an authenticated admin remote code execution that landed on May 7 with a three day federal due date. CVE-2026-0300 in Palo Alto PAN-OS is an unauthenticated remote code execution with root in the User-ID Authentication Portal added on May 6 with a May 9 due date. CVE-2026-42208 in BerriAI LiteLLM is a SQL injection added on May 8 with a May 11 due date. The LiteLLM addition is the one most dev teams need to look at, since many self host LiteLLM as a model routing layer in front of paid APIs.

Cloudflare Ships Emergency WAF Release for CVE-2026-44575 -

On May 7, Cloudflare published an emergency WAF release covering CVE-2026-44575, the same Next.js middleware bypass patched on the framework side the same day. If you sit behind Cloudflare and have not pulled the Next.js patch yet, the WAF rule reduces exposure while you ship the upgrade.

Microsoft Patch Tuesday for May falls on May 12, outside this week’s window. Coverage will land in next week’s roundup.

Industry News

Cloudflare Q1 Beat With AI-First Layoffs -

Covered above as a top story but worth noting in the financial frame. Cloudflare’s Q1 2026 revenue of 639.8 million dollars (up 34 percent year over year) sits next to a GAAP net loss of 22.9 million dollars and a non-GAAP net income of 94 million dollars. The 1,100 person reduction is the largest dev relevant layoff of the week and the most direct AI is doing the work statement from a major infrastructure vendor so far.

SAP Signs to Acquire Dremio and Prior Labs -

On May 4, SAP announced two acquisitions on the same day. The first, Dremio, brings an open data lakehouse platform to unify SAP and non-SAP data for agentic AI workloads. The transaction is expected to close in Q3 2026. Terms were not disclosed. The second is Prior Labs, a pioneer in Tabular Foundation Models. SAP committed to invest more than 1 billion euros over four years to scale Prior Labs into a frontier AI lab in Europe. Both deals are subject to regulatory approval.

Cisco Intends to Acquire Astrix Security -

On May 4, Cisco announced its intent to acquire Astrix Security, a Non-Human Identity (NHI) security pioneer. The bet is squarely on the next 12 months: as agent fleets grow, every team will need to manage thousands of service principals, OAuth tokens, and machine credentials per workspace. Astrix joins the Cisco security portfolio.

IREN to Acquire Mirantis for $625M -

On May 5, IREN signed a definitive agreement to acquire Mirantis, a cloud infrastructure and Kubernetes provider, in a 625 million dollar all stock deal. IREN is a former Bitcoin miner repositioned as an AI cloud, and Mirantis brings OpenStack and Kubernetes expertise. Mirantis customers should plan on a strategy shift over the next two quarters.

Google Launches the $99 Fitbit Air -

On May 7, Google launched the Fitbit Air, a 99 dollar screenless wearable with Gemini powered Google Health Coach. The device is 25 percent smaller than the Fitbit Luxe and 50 percent smaller than the Inspire 3. Battery lasts up to a week, with a five minute fast charge giving a full day. Available for pre-order now and shipping May 26. Fitbit data moves into the new Google Health app, which is the part developers should track if they ship anything that integrated with Fitbit APIs.

French Prosecutors Escalate X and Musk Probe to Criminal Investigation -

On May 7, French prosecutors escalated their investigation into Elon Musk and X to a criminal probe focused on alleged algorithmic manipulation and sexual deepfakes. Sets a meaningful precedent for criminal liability around recommender systems and generative content, especially in the EU.

Arm Doubles AGI CPU Sales Guidance -

On May 7, Arm raised the FY27 and FY28 sales target for its AGI CPU, the company’s own AI chip for data centers, to 2 billion dollars, doubling its March 2026 guidance. Arm-native Linux and toolchain work for AI workloads is now a real adjacent market.

PHP Retires Its Custom License, Moves to 3-Clause BSD -

The PHP project formally retired the PHP License 3.01 and the Zend Engine License 2.0, moving everything to the standard 3-clause BSD license. PHP 9.0 ships under the new license. The change makes PHP GPL compatible for the first time and removes a long running headache for distros and downstream packagers. The retirement announcement went to the OSI license-review list this month.

Funding

Blitzy Raises $200M at $1.4B Valuation for Parallel Coding Agents -

On May 5, Blitzy announced a 200 million dollar round at a 1.4 billion dollar valuation. The autonomous software development startup, founded in 2023, deploys thousands of coding agents in parallel for enterprise codebases and pitches months of completed work in a single run. Northzone led, with PSG, Battery Ventures, and Jump Capital among the participants. Direct competitor signal for Devin, Cursor cloud agents, and Claude Code at scale.

Quantum Motion Closes $160M Series C -

On May 7, Quantum Motion, a UK based company building quantum computers on silicon chips, raised a 160 million dollar Series C. EU backed growth fund Kembara made its first investment as part of the round. Largest UK quantum round to date. Worth tracking for cryptography roadmap planning, even if practical impact on application code is still years out.

Corgi Raises $160M Series B -

On May 6, Corgi raised 160 million dollars in a Series B led by TCV at a 1.3 billion dollar valuation. The AI native insurance platform for startups will expand into new verticals including trucking insurance. Total raised is now over 268 million dollars.

DeepInfra Closes $107M Series B -

On May 5, DeepInfra raised 107 million dollars in Series B funding led by 500 Global and Georges Harik. The Palo Alto based cloud inference platform processes nearly five trillion tokens per week. Direct pricing pressure on the OpenAI and Anthropic API endpoints.

RadixArk Launches with $100M Seed for SGLang Infrastructure -

On May 5, RadixArk launched with 100 million dollars in seed funding at a 400 million dollar post money valuation. Founded by the creators of the SGLang open source inference engine, the company plans to commercialize SGLang and democratize frontier AI infrastructure. Accel led, with Spark Capital co-leading.

Tessera Labs Raises $60M Led by a16z -

On May 6, Tessera Labs, a San Jose based multi-agent AI platform provider, raised 60 million dollars led by Andreessen Horowitz. The company sells vendor agnostic AI for enterprise ERP systems and data optimization. Telegraphs the a16z thesis on enterprise agents being a horizontal layer rather than a feature inside vendor specific tools.

Tekst Raises $11.5M Series A -

On May 8, Tekst raised 11.5 million dollars in Series A funding for an agentic AI process intelligence platform. Smaller than the others but representative of the category as process mining and agents converge.

The Numbers That Matter

220,000 NVIDIA GPUs Anthropic now has access to through SpaceX Colossus 1
1,100 Cloudflare layoffs announced May 7
24% Cloudflare stock drop on the day, despite a Q1 earnings beat
52.5% Reduction in hallucinated claims for GPT-5.5 Instant on high stakes prompts
13 Security advisories patched in the Next.js May emergency release
$200M Blitzy round at $1.4B valuation, the largest in the window

Quick Hits

Anthropic and SpaceX - May 6. All compute capacity at Colossus 1 in Memphis. Over 300 MW and 220,000+ NVIDIA GPUs available within the month. Same day, Claude Code five hour rate limits doubled across Pro, Max, Team, and Enterprise. Peak hour throttling removed for Pro and Max. Opus API rate limits raised. Plus interest in multi gigawatt orbital compute with SpaceX.

Cloudflare Q1 and layoffs - May 7. Revenue 639.8M (up 34 percent YoY) beats 622M estimate. Adjusted EPS 25 cents vs 23 cents. 1,100 layoffs (around 20 percent of staff) framed as agentic AI-first restructuring. 140 to 150M restructuring charges. Stock falls 24 percent.

AWS Bedrock AgentCore Payments - May 7. Preview with Coinbase and Stripe. x402 protocol for stablecoin micropayments. Coinbase x402 Bazaar with 10,000+ MCP endpoints. Stripe Privy wallet infrastructure. Session level spending limits at the infrastructure layer. Available in N. Virginia, Oregon, Frankfurt, Sydney.

AWS MCP Server GA - May 6. Core component of the Agent Toolkit for AWS. Single tool to call any AWS API. Sandboxed Python script execution. Agent Skills replace Agent SOPs. No additional charge.

Cursor 3.3 - May 7. PR review experience inside the agents window. Build in Parallel for plans using async subagents. Split PRs from chat context with backup snapshot. Pinned skills as quick action pills. Slash multitask command in the editor. Configurable Explore subagent behavior.

OpenAI GPT-5.5 Instant - May 5. New default ChatGPT model and API chat-latest. 52.5 percent fewer hallucinations on high stakes prompts. 30.2 percent fewer words. Personalization across past chats, files, and connected Gmail. GPT-5.3 Instant retires after three months.

OpenAI Realtime audio models - May 7. GPT-Realtime-2 with GPT-5 class reasoning. GPT-Realtime-Translate (70 input languages, 13 output). GPT-Realtime-Whisper streaming STT.

OpenAI GPT-5.5-Cyber - May 7. Limited preview for cybersecurity defenders. Trusted Access for Cyber. Phishing resistant security required by June 1.

OpenAI Trusted Contact - May 7. Optional ChatGPT safety feature for adult users. Emergency contact for serious mental health concerns. No transcripts shared.

OpenAI ads in ChatGPT - May 5 and May 7. New ways to buy ChatGPT ads on May 5. Testing ads in ChatGPT on May 7. First explicit ad surfaces.

xAI Grok 4.3 - May 6. Built in reasoning. 1M context. Agentic tool use. $1.25 in, $2.50 out per million tokens. Connectors for SharePoint, Outlook, OneDrive, Google Workspace, Notion, GitHub, Linear. Imagine Quality Mode API. Voice cloning suite.

xAI Grok deprecations - May 15 deadline. grok-4-1-fast-reasoning, grok-4-fast-reasoning, grok-3, grok-code-fast-1 all retiring. Migrate to Grok 4.3.

Google Cloud Agent Identity GA - May 6. SPIFFE based principal type in IAM. Agent Gateway with policy enforcement preview. IAP for Agents preview.

Google Agentic Data Cloud - May 6. About 80 product updates. Knowledge Catalog, Cross-Cloud Lakehouse for AWS and Azure data, Spanner Omni for edge and on premises.

Gemini API File Search - May 5. Multimodal images plus text. Custom metadata filtering. Page level citations.

Anthropic finance agents - May 5. Ten Cowork and Claude Code plugins. Pitch builders, earnings reviewers, valuation reviewers, GL reconciler.

Claude Code releases - v2.1.128 (May 4), v2.1.133 (May 7), v2.1.136 in window. Worktree settings, sandbox configuration, MCP server fixes, auto mode rule improvements.

GitHub Copilot org-level secrets - May 8. Dedicated Agents secrets and variables type. Org level configuration shared across selected repos. Separate Agents section in repo settings.

GitHub Copilot CLI plugins - May 6. Enterprise managed plugins in public preview.

Rubber Duck Claude critic - May 7. GitHub Copilot CLI Rubber Duck supports more models including Claude as critic.

Cloudflare Workers Stream Bindings - May 7. Programmatic access to Stream video library without authenticated REST calls.

Cloudflare Mesh IPv6 - May 6. IPv6 CIDR routes for IPv6 only and dual stack private networks.

Snowflake 10.16 - May 4. Data quality checks by group GA via WITHIN GROUP clause.

Databricks Runtime 18.2 GA - May 4. Lakeflow Pipelines Editor GA same day. May 5 added managed ingestion connectors for Outlook and GitHub in beta plus automatic identity sync.

Kubernetes v1.36 Declarative Validation GA - May 5. New +k8s: marker tags replace handwritten validation across native types.

Node.js 26.1.0 - May 7. Experimental node:ffi module for dynamic libraries behind –experimental-ffi flag. Buffer, crypto, debugger, filesystem, HTTP, process, stream, test runner improvements.

Next.js 15.5.18 and 16.2.6 - May 7. Emergency security release. 13 advisories. Middleware and proxy bypass, SSRF, cache poisoning, XSS, DoS. CVE-2026-44575 included.

React 19.0.6 - May 6. Type hardening. RSC denial of service patched (CVE-2026-23870). Also released on 19.1 and 19.2 lines.

Svelte May update - May 2026. SvelteKit 2.56.0 with breaking remote function changes. TypeScript 6.0 support. sv-utils package split.

CISA KEV Ivanti EPMM CVE-2026-6973 - May 7. Authenticated admin RCE actively exploited. Federal due date May 10.

CISA KEV Palo Alto PAN-OS CVE-2026-0300 - May 6. Unauth RCE with root in User-ID Authentication Portal. Due date May 9.

CISA KEV BerriAI LiteLLM CVE-2026-42208 - May 8. SQL injection in self hosted LLM gateway. Due date May 11.

Cloudflare emergency WAF - May 7. CVE-2026-44575 Next.js middleware bypass coverage same day as the Next.js patch.

SAP to acquire Dremio - May 4. Open data lakehouse platform. Closes Q3 2026. Terms undisclosed.

SAP to acquire Prior Labs - May 4. Tabular Foundation Models pioneer. Over 1 billion euros over four years.

Cisco intent to acquire Astrix Security - May 4. Non Human Identity security platform.

IREN to acquire Mirantis - May 5. 625 million dollars in IREN ordinary shares. OpenStack and Kubernetes expertise.

Fitbit Air launch - May 7. 99 dollars. Screenless wearable. Google Health Coach. Up to a week of battery. Pre-order now, ships May 26.

French X criminal probe - May 7. Algorithmic manipulation and sexual deepfakes. Escalation from earlier investigation.

Arm AGI CPU guidance - May 7. FY27 and FY28 sales raised to 2 billion dollars, double the March 2026 guidance.

PHP License retired - May 2026. Move to 3-clause BSD. PHP 9.0 ships under new license. GPL compatible.

Blitzy $200M round - May 5. 1.4 billion valuation. Northzone led. Parallel coding agents for enterprise.

Quantum Motion $160M Series C - May 7. Silicon chip quantum computing. Kembara first investment.

Corgi $160M Series B - May 6. TCV led. 1.3 billion valuation. AI native insurance.

DeepInfra $107M Series B - May 5. Cloud inference platform. 5 trillion tokens per week.

RadixArk $100M seed - May 5. SGLang open source inference engine commercialized. Accel led, Spark co-led.

Tessera Labs $60M - May 6. a16z led. Multi-agent AI for enterprise ERP.

Tekst $11.5M Series A - May 8. Agentic AI process intelligence.

Three threads from the week worth pulling on. The first is that the AI compute market is now openly a hardware allocation problem. Anthropic locked in 220,000 GPUs at SpaceX Colossus 1 on May 6 and used the capacity to lift Claude Code rate limits the same day. That is not a 2027 roadmap item. It is shipping volume now, on top of the 5 GW Amazon, 5 GW Google and Broadcom, and 30 billion dollar Microsoft and NVIDIA commitments already on the books. If your 2026 capacity planning still assumes you are the rate limiter, this week was the moment that flipped. The second thread is that the labor side of AI keeps getting clearer. Cloudflare beat estimates and laid off 1,100 people on the same morning, calling out support roles by name. Layoffs at growing infrastructure companies were not part of the 2025 playbook. They are now. The third is the agent stack is filling in below the application layer. AWS shipped the MCP Server GA, Bedrock AgentCore Payments preview, and the Agent Toolkit. Google shipped Agent Identity GA. GitHub gave Copilot cloud agent its own secrets type at the org level. Cursor put PR review and split PRs into the agents window. None of these are demo moves. They are the boring, integrative pieces that make agents survive enterprise rollouts. The next two quarters will be about who can stitch these primitives together fastest.

See you next week.