118 lines
15 KiB
Markdown
118 lines
15 KiB
Markdown
# Gadget Landing Page
|
||
|
||
Gadget Code needs a landing page, and that will be created here in the Gadget monorepo. Gadget Code has a sister product: Gadget. Gadget is a sidebar browser extension that provides agentic services to the browser, and also web app that implements chat about a person's information, knowledge, meetings, and more.
|
||
|
||
The Landing Page project will be building a static website with a sales and marketing focus. The objective is to present the strengths of Gadget and Gadget Code, provide a path for people to follow to learn more about either, and then provide information about how to (1) get and (2) subscribe to Gadget.
|
||
|
||
Gadget Code is free and open source software licensed under the Apache 2.0 open source license. There is no cost to obtain Gadget Code. We will be providing a link directly to our self-hosted gitea-backed server. It is not on GitHub. It prefers to stay away from GitHub.
|
||
|
||
## The Status of GitHub and Why We Avoid It
|
||
|
||
GitHub is experiencing a severe platform reliability and security crisis in 2026, driven by a massive surge in AI agent traffic and infrastructure strain. Third-party monitoring services report that GitHub's actual uptime plummeted to roughly 90.21% over a 90-day window, experiencing 37 service incidents in February and 48 major outages between mid-2025 and April 2026. [1, 2, 3]
|
||
An explosion of AI-driven automated code—averaging 230 new repositories created every minute—overloaded the platform's backend and crippled critical developer workflows. This infrastructure decay, combined with high-profile security vulnerabilities and silent data corruptions, has broken developer trust and triggered an exodus of prominent open-source projects. [2, 4, 5]
|
||
|
||
### Major Incidents & Outages (Thus Far in 2026)
|
||
|
||
The primary bottleneck for GitHub has been database saturation, misconfigured deployment updates, and an incomplete, lagging migration to Microsoft Azure. [2, 6]
|
||
|
||
- The Silent Merge Queue Deletion Bug (April 23, 2026): In one of GitHub's worst-ever data integrity incidents, a regression in the platform's Merge Queue operations caused inadvertent code deletion. When multiple Pull Requests were batched into a squash merge, subsequent merges silently reverted previously committed and approved code. Over 2,092 pull requests across 230 repositories were impacted. GitHub could not automatically repair the state of the affected branches, forcing companies (such as Modal and Zipline) to manually audit and reconstruct their Git history.
|
||
- The Elasticsearch Subsystem Collapse (April 27, 2026): Just four days after the merge queue bug, GitHub's Elasticsearch subsystem became severely overloaded, likely triggered by a botnet attack. Because the subsystem lacked proper blast-radius isolation, it acted as a single point of failure. Global search capabilities, PR views, and project boards collapsed entirely for several hours.
|
||
- The 12-Hour Cascading Failure (February 9, 2026): Extreme database saturation knocked GitHub offline five separate times over a 12-hour period. Engineering teams globally saw CI/CD queues freeze, blocking production deployments.
|
||
- Redis Infrastructure Breakdown (March 5, 2026): A faulty production update to GitHub’s Redis load balancer misrouted internal traffic to incorrect hosts. The incident caused 95% of GitHub Actions workflows to experience massive delays and triggered a 10% total infrastructure failure rate.
|
||
- Codespaces Authorization Lockout (February 12, 2026): A broken backend change in an authorization dependency triggered a 90% failure rate for developers attempting to spin up or resume environments in Europe, Asia, and Australia.
|
||
- Dependabot Failure Loop (January 31 – February 2, 2026): A cluster failover accidentally connected the automated security patching service to a read-only database cluster. This configuration error broke automated PR generation for thousands of repositories. [1, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
|
||
|
||
### Critical Security Vulnerabilities & Breaches
|
||
|
||
In parallel with its physical infrastructure downtime, GitHub suffered catastrophic security flaws that directly exposed customer codebases. [14, 16, 17]
|
||
|
||
- CVE-2026-3854 Remote Code Execution (Disclosed April 28, 2026): Discovered by researchers at Wiz, this critical vulnerability allowed any authenticated platform user to execute arbitrary code directly on [GitHub.com](https://github.com/) backend servers via a standard git push. Unsanitized metadata processing allowed attackers to bypass isolation boundaries and target millions of hosted repositories.
|
||
- The Navia Data API Breach (January 2026): A vulnerability stemming from an exposed API enabled a threat actor to scrape personal data belonging to 2.7 million people, leaking sensitive account information, names, and contact details. [16, 18, 19, 20]
|
||
|
||
### Prominent Projects Exiting the Platform
|
||
|
||
The continuous infrastructure decay and the "attention-extraction surface" created by unvetted, spammy AI pull requests have convinced tier-one open-source developers that GitHub is no longer a stable foundation for software development. [4, 21]
|
||
|
||
- Ghostty (Mitchell Hashimoto): The highly publicized departure of 2026 came from Mitchell Hashimoto (co-founder of HashiCorp), who announced he is moving his prominent Rust-based terminal emulator, Ghostty, entirely off GitHub. Hashimoto published logs detailing near-daily platform outages, publicly stating that GitHub is "no longer a place for serious work" due to its unreliable infrastructure.
|
||
- Zig Software Foundation: The core language repository for Zig migrated its infrastructure away from GitHub to Codeberg. The foundation cited the constant noise of low-quality, AI-generated pull requests straining maintainer resources, combined with platform instability.
|
||
- tldraw & Curl: While not fully migrating hosts, other critical open-source dependencies have taken drastic countermeasures. tldraw entirely closed external public code contributions due to AI spam. Meanwhile, Daniel Stenberg (creator of curl) completely shut down curl's long-running bug bounty program in early 2026 after AI-hallucinated vulnerability submissions caused the valid confirmation rate to drop below 5%, burying human maintainers in garbage data. [4, 21, 22, 23, 24]
|
||
|
||
### Summary of GitHub's Response
|
||
|
||
Following the twin disasters of the April 23 merge queue bug and the CVE-2026-3854 server exploit, GitHub's Chief Technology Officer issued an official apology on April 28, 2026. The platform announced an emergency expansion plan, increasing its infrastructure capacity spending target from 10x to 30x in a bid to keep pace with AI automation traffic and stabilize its brittle platform services. [18, 19, 25]
|
||
|
||
### Migrating Away From GitHub
|
||
|
||
If you are auditing your team's infrastructure risks, I can provide a comprehensive technical comparison of GitLab, Codeberg, and self-hosted Gitea architectures, or outline strategies for backing up your GitHub Actions secrets. Which direction would be most useful?
|
||
|
||
[1] [https://leaddev.com](https://leaddev.com/software-quality/whats-gone-wrong-at-github)<br/>
|
||
[2] [https://www.reddit.com](https://www.reddit.com/r/IncidentHub/comments/1t3ajgo/github_outages_2025_2026_reliability_analysis_and/)<br/>
|
||
[3] [https://www.buildmvpfast.com](https://www.buildmvpfast.com/blog/github-three-nines-reliability-developer-platform-2026)<br/>
|
||
[4] [https://python.plainenglish.io](https://python.plainenglish.io/im-tired-of-pretending-github-is-fine-883b15a1c4a5)<br/>
|
||
[5] [https://dev.to](https://dev.to/varshithvhegde/github-broke-git-the-merge-queue-bug-that-silently-deleted-your-code-4f7i)<br/>
|
||
[6] [https://byteiota.com](https://byteiota.com/github-reliability-crisis-three-nines/)<br/>
|
||
[7] [https://github.blog](https://github.blog/news-insights/company-news/github-availability-report-february-2026/)<br/>
|
||
[8] [https://www.mexc.com](https://www.mexc.com/news/1060484)<br/>
|
||
[9] [https://eu.githubstatus.com](https://eu.githubstatus.com/history)<br/>
|
||
[10] [https://medium.com](https://medium.com/@monkfromearth/github-let-a-git-push-hijack-its-servers-rce-cve-2026-3854-2f9e3e8be660)<br/>
|
||
[11] [https://github.blog](https://github.blog/news-insights/company-news/an-update-on-github-availability/)<br/>
|
||
[12] [https://statusgator.com](https://statusgator.com/services/github/outage-history)<br/>
|
||
[13] [https://getsecureslate.com](https://getsecureslate.com/blog/what-the-github-outage-taught-us-about-resilience-and-compliance-2026)<br/>
|
||
[14] [https://github.blog](https://github.blog/news-insights/company-news/github-availability-report-march-2026/)<br/>
|
||
[15] [https://github.blog](https://github.blog/news-insights/company-news/github-availability-report-february-2026/)<br/>
|
||
[16] [https://www.youtube.com](https://www.youtube.com/watch?v=q1I5m6cQNlY&t=11)<br/>
|
||
[17] [https://www.reddit.com](https://www.reddit.com/r/IncidentHub/comments/1t3ajgo/github_outages_2025_2026_reliability_analysis_and/)<br/>
|
||
[18] [https://medium.com](https://medium.com/@cdcore/github-got-hacked-and-honestly-that-wasnt-even-the-worst-part-9940b4c3b729)<br/>
|
||
[19] [https://medium.com](https://medium.com/@cdcore/github-got-hacked-and-honestly-that-wasnt-even-the-worst-part-9940b4c3b729)<br/>
|
||
[20] [https://www.pkware.com](https://www.pkware.com/blog/2026-data-breaches)<br/>
|
||
[21] [https://medium.com](https://medium.com/@NMitchem/github-is-dying-and-developers-dont-even-know-it-yet-cca14b732ae5)<br/>
|
||
[22] [https://lucumr.pocoo.org](https://lucumr.pocoo.org/2026/4/28/before-github/)<br/>
|
||
[23] [https://www.theregister.com](https://www.theregister.com/software/2026/04/29/mitchell-hashimoto-says-github-no-longer-for-serious-work/5227505)<br/>
|
||
[24] [https://www.techzine.eu](https://www.techzine.eu/news/devops/136914/zig-project-leaves-github-due-to-excessive-ai/)<br/>
|
||
[25] [https://github.blog](https://github.blog/news-insights/company-news/an-update-on-github-availability/)<br/>
|
||
|
||
## The Status of VS Code And Why People Are Replacing It
|
||
|
||
A pervasive decline in software quality and telemetry bloat has compromised Microsoft's Visual Studio Code (VS Code) ecosystem. Once celebrated as a lightweight, lightning-fast text editor, VS Code has faced a wave of developer backlash. The core issues stem from aggressive AI feature overreach, memory leak regressions, and ecosystem instability caused by major platform updates.
|
||
|
||
Enterprise organizations and independent engineers report that the IDE has transformed into a heavy, resource-intensive environment. This shift actively disrupts professional software engineering workflows and incurs significant operational costs.
|
||
|
||
### Over-Reaching AI & The "Ghost Credit" Backlash
|
||
|
||
Microsoft’s structural pivot to prioritize Generative AI above platform reliability has severely alienating core users.
|
||
|
||
- The GitHub Copilot Metadata Hijack (March–May 2026): In a highly controversial update, Microsoft quietly modified the VS Code core commit mechanics to automatically inject a "Co-authored-by: Copilot" trailer into Git commit metadata. The tag was applied even when code was written entirely by humans without AI assistance. Engineers condemned this as an unacceptable violation of professional compliance, forcing Microsoft to issue a public apology and revert the default behavior in the version 1.119 update.
|
||
- Intrusive Context Degradation: Updates to the integrated GitHub Copilot Chat extension have degraded its reasoning capacity. The extension frequently fails to respect user-defined workspace contexts. It has also begun dropping arbitrary files and unrequested layout files into incorrect directory paths.
|
||
- Disruptive UI Interventions: Users report that persistent, non-configurable inline ghost text, AI hover cards, and autocomplete overlays routinely block human-authored typechecking. This issue forces developers to resort to CLI-based environments to bypass the UI noise.
|
||
|
||
### Systemic Extension Instability & Resource Bloat
|
||
|
||
The platform's underlying codebase has suffered from critical regressions. These flaws trigger catastrophic performance degradation under standard enterprise multi-repository workloads.
|
||
|
||
- The Breakage of March 2026: A core marketplace update pushed on March 26, 2026, broke core abstractions for heavily relied-upon extensions (tracked in microsoft/mcp/issues/2237), leaving developers unable to load their local server and cloud workflows for days.
|
||
- Multi-Gigabyte Language Server Leaks: The core language protocol companion, Microsoft.CodeAnalysis.LanguageServer, suffers from a compounding memory leak. It routinely balloons to consume 40GB+ of system RAM on idle configurations, crippling standard 16GB–32GB developer laptops.
|
||
- Ecosystem Memory Collapses: Unchecked token parsing loops in popular extensions cause massive memory leaks. The Claude Code extension (v2.1.20) was documented spawning background tasks that consume 23.2GB of RAM out of the box. Simultaneously, Microsoft's official C/C++ IntelliSense engine routinely triggers 100% CPU lockups and 5GB+ RAM memory leaks when opening larger codebases.
|
||
|
||
### Critical Extension Security Flaws
|
||
|
||
The neglect of vetting mechanisms within the VS Code Marketplace has exposed companies to supply-chain vulnerabilities.
|
||
|
||
- The 125-Million Install Security Advisory (February 2026): Cybersecurity researchers disclosed devastating remote code execution (RCE) flaws in four of the most heavily downloaded extensions on the platform: Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Threat actors could exploit these flaws via local workspace configurations to exfiltrate local source files and compromise developer machines.
|
||
|
||
### Economic & Business Impacts
|
||
|
||
| Impact Vector | Technical Consequence | Business & Bottom-Line Cost |
|
||
| ------------------------ | ---------------------------------------------------------------------- | ------------------------------------------------------------------------- |
|
||
| System Sluggishness | Memory leaks force constant IDE restarts and cause severe system lag. | Lost developer billable hours; degraded engineering velocity. |
|
||
| Telemetry & Tool Fatigue | Intrusive AI prompts and telemetry noise mask true error highlights. | Increased defect escape rate; manual code refactoring costs. |
|
||
| Compliance Risks | Forced AI attribution tags pollute corporate repository Git histories. | Legal friction concerning open-source licenses and code pedigree. |
|
||
| Supply Chain Exposure | Vulnerable marketplace components allow local file exfiltration. | Intellectual property theft; exposure of proprietary corporate codebases. |
|
||
|
||
### Migrating Away From VS Code
|
||
|
||
The tone should be:
|
||
|
||
> If you are looking to mitigate these environment issues within your engineering org, I can provide a comprehensive migration blueprint to Gadget Code. How would you like to proceed?
|
||
|
||
We want to present Gadget Code as the solution to VS Code that provides a better exprience by making the agent a first-class feature of the application (not a bolt-on afterthought), and by providing the guardrails and safeguards that Microsoft doesn't think about anymore.
|