Archive for Tuesday, 31st March 2026

Tuesday, 31st March 2026

Release llm-echo 0.3 — Debug plugin for LLM providing an echo model

Mechanisms for testing tool calls. #3

Mechanism for testing raw responses. #4

New echo-needs-key model for testing model key logic. #7

31st Mar 2026, 3:43 pm · llm

Release llm-echo 0.4 — Debug plugin for LLM providing an echo model

Prompts now have the input_tokens and output_tokens fields populated on the response.

31st Mar 2026, 4:48 pm · llm

Release llm 0.30 — Access large language models from the command-line

The register_models() plugin hook now takes an optional model_aliases parameter listing all of the models, async models and aliases that have been registered so far by other plugins. A plugin with @hookimpl(trylast=True) can use this to take previously registered models into account. #1389

Added docstrings to public classes and methods and included those directly in the documentation.

31st Mar 2026, 8:35 pm · llm

Release llm-all-models-async 0.1 — Register async versions of models from LLM plugins that only provide a sync version

LLM plugins can define new models in both sync and async varieties. The async variants are most common for API-backed models - sync variants tend to be things that run the model directly within the plugin.

My llm-mrchatterbox plugin is sync only. I wanted to try it out with various Datasette LLM features (specifically datasette-enrichments-llm) but Datasette can only use async models.

So... I had Claude spin up this plugin that turns sync models into async models using a thread pool. This ended up needing an extra plugin hook mechanism in LLM itself, which I shipped just now in LLM 0.30.

31st Mar 2026, 8:52 pm · async, python, llm

Release datasette-llm 0.1a4 — LLM integration plugin for other plugins to depend on

Ability to configure different API keys for models based on their purpose - for example, set it up so enrichments always use gpt-5.4-mini with an API key dedicated to that purpose. #4

I released llm-echo 0.3 to provide an API key testing utility I needed for the tests for this new feature.

31st Mar 2026, 9:17 pm · datasette, llm

Supply Chain Attack on Axios Pulls Malicious Dependency from npm (via) Useful writeup of today's supply chain attack against Axios, the HTTP client NPM package with 101 million weekly downloads. Versions 1.14.1 and 0.30.4 both included a new dependency called plain-crypto-js which was freshly published malware, stealing credentials and installing a remote access trojan (RAT).

It looks like the attack came from a leaked long-lived npm token. Axios have an open issue to adopt trusted publishing, which would ensure that only their GitHub Actions workflows are able to publish to npm. The malware packages were published without an accompanying GitHub release, which strikes me as a useful heuristic for spotting potentially malicious releases - the same pattern was present for LiteLLM last week as well.

# 11:28 pm / javascript, security, npm, supply-chain

← Monday, 30th March 2026

M	T	W	T	F	S	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Simon Willison’s Weblog

Tuesday, 31st March 2026