GitHub Trending Top 10: May 5–11, 2026

Ten repositories dominated GitHub Trending this past week. Each entry below covers what the project does, what makes it different from the alternatives, and — where the code teaches something — the specific technique you can adapt. Repos are ranked by total star count, descending, with weekly increment noted for each so you can gauge momentum independently.

1. sindresorhus/awesome — 465,000★

Language: Markdown · License: CC0-1.0 · Last commit: May 5, 2026

At first glance awesome looks like "another curated list." It isn't — it's a directory of lists. The 600+ entries in its single readme.md are hyperlinks to other curated repos, not to the software itself. sindresorhus/awesome is an index, not an aggregator. 1

The taxonomy spans 26 top-level categories — Platforms, Programming Languages, Front-End Development, Back-End Development, Computer Science, Big Data, Security, Gaming, and more — giving any developer a navigation layer before drilling into a domain-specific list. The companion URL awesome.re redirects straight to the repo.

What's worth borrowing: the lightweight contribution infrastructure. Every curated-list project has to keep quality up without becoming a bureaucracy. This repo ships four files — contributing.md, create-list.md (a guide for starting new awesome lists), pull_request_template.md, and code-of-conduct.md — that have been adopted nearly verbatim by hundreds of downstream awesome-* repos. It's the cheapest governance scaffold for an open-source documentation project.

This week: one maintenance commit on May 5 updating a GitHub topics docs link.

2. ripienaar/free-for-dev — 122,000★

Language: HTML (content lives in README) · License: none listed · Last commit: May 12, 2026

The premise is narrow on purpose: list only SaaS/PaaS/IaaS offerings with a genuinely free tier (not a trial), active for at least one year if time-bucketed, and never putting TLS behind a paywall. That last gate is the maintainer's stated hard line. 2

The result is 1,500+ entries across roughly 60 categories — managed databases, CI/CD pipelines, feature toggle services, email routing, generative AI APIs, observability stacks, and more. A companion site at free-for.dev renders the README as a searchable page.

What separates it from a search: the eligibility criteria act as a pre-filter. You don't get trials pretending to be free tiers, and you don't get services that silently move TLS behind a paywall. Maintainer R.I. Pienaar explicitly calls the list "opinionated" — if a contribution doesn't fit the infrastructure developer use case, it won't merge.

This week: 20+ commits between May 5–12 added entries for CatchDoms (domain aggregator), Gizmo Analytics, boxd (Linux VMs), conduit.email (email-to-webhook), isitdownstatus.com (status API), Reactive Resume, vask.dev (realtime messaging), and imgen (image generation). Pagure.io was removed from the repository hosting section. 3

Licensing note: this repo carries no explicit open-source license file — unusual for a 122k-star project. Check the current state before forking or redistributing the content.

3. jaywcjlove/awesome-mac — 104,000★

Language: Swift (tooling), Markdown (content) · License: CC0-1.0 · Latest release: v2.1.0, March 30, 2026

Unlike most awesome lists — which are plain text files maintained by hand — awesome-mac runs an automated pipeline. Swift tooling handles RSS feed generation, GitHub Actions runs CI on every PR, and Renovate manages dependency updates. Four README files cover English, Chinese, Japanese, and Korean. 4

Each entry carries a visual icon set: Open Source, Freeware, App Store, macOS Native App, and Awesome List — so you can filter by cost and distribution model at a glance. The repo also maintains a blocklist of pirated software download sites.

This week: seven additions committed May 5–10 — SSH Keys Manager (developer utilities), muxbar (menu bar tmux controller), CodexIsland (notch tool for Claude/Codex CLI), OpenQuack (voice dictation), Voxt (hold-to-talk voice input), and MacDown (Markdown editor). The Warp terminal entry was updated to reflect its open-source status. 5

Pattern to borrow: automated freshness signaling. Most curated lists go stale because maintainers have no mechanism to know when a tool changes category (e.g., going open source). The RSS feed pipeline here gives subscribers a diff-style update channel — a pattern any documentation project maintaining external links could replicate with a GitHub Action.

4. oven-sh/bun — 89,900★ (+385/week)

Language: Zig · License: MIT (statically links LGPL-2 JavaScriptCore) · Latest release: v1.3.13, April 20, 2026

Bun is a JavaScript runtime, bundler, package manager, and test runner — all in a single ~100MB binary. The stated goal: replace the four separate tools (Node.js, npm/yarn, webpack/esbuild, Jest/Vitest) you currently install for a JavaScript project. 6

The core technical bets that separate it from Node.js and Deno:

Zig + JavaScriptCore instead of C++ + V8: Zig's manual memory management eliminates GC overhead on the runtime side. JSC's (WebKit's JavaScript engine) JIT tiers — LLInt → Baseline → DFG → FTL — give faster cold starts than V8.
Static linking via build.zig: BoringSSL, zlib-ng, mimalloc (an allocation library), libarchive, and ~20 other C libraries compile into the single binary. No dynamic linking surprises across platforms.
The bundler is a Zig port of esbuild's core algorithms (with permission from Evan Wallace), extended with CSS bundling, HTML entry points, hot module replacement, and bun build --compile for self-contained executable output. 7

v1.3.13 shipped four concrete performance improvements: streaming tarball extraction cut bun install memory use by 17x; source map storage dropped from 20 bytes per mapping to 2.4 bytes per mapping; zlib-ng upgrade accelerated compression 2.5–5.5x with SIMD dispatch (AVX-512/AVX2/SSE2/NEON/SVE); and the JavaScriptCore merge absorbed 1,316 upstream commits adding inline caches and SIMD string operations. 7

This week: no new release, but ~22 commits landed May 5–11 — a WebKit engine upgrade, node:http duplex mode support, TLS Windows system store intermediate loading, and process CTRL_CLOSE_EVENT → SIGHUP translation on Windows. 8

Pattern to borrow: bun build --compile bundles TypeScript source plus all dependencies into a self-contained executable. For any CLI or developer tool, this eliminates "did you run npm install?" failures in CI and removes install friction for end users.

5. openai/openai-cookbook — 73,500★ (+236/week)

Language: Jupyter Notebook (93%) · License: MIT · Last commit: May 11, 2026

The Cookbook occupies a specific structural position: it sits between the raw API reference (what each parameter does) and third-party framework tutorials (which layer LangChain or LlamaIndex abstractions on top). Every example is end-to-end, runnable, written by OpenAI engineers against the official Python SDK, with no extra abstraction layer. 9

The examples/ directory has 34 subdirectories. The most active cluster in 2026 is agents_sdk/, followed by codex/. A registry.yaml file gives every entry a slug, date, author, and tag set — making the inventory diffable week over week.

Three patterns from this week's additions (May 5–11): 10

Pattern 1 — Agent improvement flywheel (May 11): The Agent Improvement Loop cookbook treats the full contract around a model — instructions, tools, routing, output requirements, validation checks — as a versioned artifact that can be improved programmatically. 11

The loop: Agents SDK traces → human + LLM feedback → Promptfoo eval generation → HALO optimization ranking → a single codex_handoff.md file that carries the diagnosis, ranked recommendations, and implementation guidance into the next run. All model names are environment variables defaulting to gpt-5.5 — swap cheaper models for cost-sensitive steps with one change.

Pattern 2 — Three-phase closed-loop repair (May 11): The Codex iterative repair cookbook uses a Review → Repair → Validate architecture where every phase emits structured JSON consumed by the next phase. 12

The "business rules as shared contract" pattern: rather than letting each phase re-derive what "good" means, you define it once as a JSON object and inject it everywhere. Codex CLI runs headless via codex exec --ask-for-approval never --output-schema {schema}, producing machine-readable output that Python orchestrates. Validation failures become structured remaining_delta objects — inputs for the next repair iteration, not dead ends.

Pattern 3 — Client-secret mediated WebRTC (May 7): The realtime translation cookbook dropped the same day OpenAI launched gpt-realtime-translate. 13

The transferable security pattern: your server creates a short-lived client secret via POST /v1/realtime/translations/client_secrets and hands only that token to the browser. The browser never touches your API key. The browser then captures a fresh SDP offer, posts it to the translations endpoint with the client secret, and receives translated audio as a remote WebRTC track.

Browser tab live translation architecture — control plane creates client secret on the server; media loop captures tab audio via getDisplayMedia, opens a WebRTC peer connection to the Realtime Translation API, and receives translated audio plus subtitles in return.

Image from: Build Live Translation Apps with gpt-realtime-translate

The cookbook shows three deployment shapes using the same pattern: browser tab (WebRTC), phone calls (Twilio Media Streams → WebSocket), and video calls (LiveKit).

Phone call translation via Twilio — two independent translation sessions, one per language direction, each with its own OpenAI session.

Image from: Build Live Translation Apps with gpt-realtime-translate

6. Eugeny/tabby — 71,200★ (+348/week)

Language: TypeScript · License: MIT · Latest release: v1.0.233, May 7, 2026

Tabby is a cross-platform terminal emulator (Windows, macOS, Linux) with a built-in SSH connection manager, encrypted credential vault, serial/telnet client, SFTP panel, and plugin system. 14

Where it carves out space: iTerm2 is macOS-only; Windows Terminal is a shell host without an integrated SSH client; Warp is AI-first and requires a proprietary backend. Tabby is fully local, fully open-source (MIT), and its SSH implementation — backed by russh (a Rust SSH library loaded as a native Node module) — supports X11 forwarding, agent forwarding (Pageant + OpenSSH Agent), jump hosts, Zmodem file transfers, and post-quantum key exchange (mlkem768x25519-sha256, added in v1.0.228).

The monorepo contains ~25 packages (tabby-core, tabby-electron, tabby-ssh, tabby-terminal, tabby-serial, tabby-web). Even SSH and the settings UI are plugins — you extend or replace them using the same TypeScript/Angular dependency injection API that third-party plugins use.

v1.0.233 (May 7): SFTP panel gets a dedicated hotkey and a refresh button; Windows NSIS installer bundles Visual C++ Redistributable (eliminating a common install failure); config sync now requires HTTPS (fixes CVE GHSA-cmpc-v2x9-j9x9); spellchecker disabled by default to stop automatic dictionary downloads; unsafe exec() removed from the UAC helper; Zmodem transfers now queue writes and show a user confirmation prompt before starting. 15

Pattern to borrow: everything-is-a-plugin architecture. Tabby's Angular DI system lets you inject a replacement SSH transport, a custom credential store, or a new terminal renderer without touching core code. Structuring core features as plugins from day one makes the extension API credible to third-party developers — because it's the same API you use internally.

7. traefik/traefik — 63,100★ (+172/week)

Language: Go (92.5%) · License: MIT · Latest release: v3.7.1, May 11, 2026

Traefik is a reverse proxy and load balancer built around one idea: point it at your orchestrator and it generates routes automatically — no config file edits, no restarts. 16

The provider abstraction is the mechanism: a "provider" watches a specific infrastructure API (Docker labels, Kubernetes API, Consul KV, ECS, Rancher, file) and emits a unified internal configuration model. When a container starts with traefik.enable=true, Traefik detects it, reads routing rules from labels, provisions a Let's Encrypt certificate, and begins routing — no human involved.

Traefik logo

Image from: GitHub - traefik/traefik

v3.7.0 (May 5) — 54 enhancements, the headline being the ingress-nginx annotation metamodel: 35+ NGINX Ingress annotations (rewrite-target, auth-*, proxy-*, limit-*, canary, server-snippet, and more) now map directly to Traefik's dynamic configuration. A Kubernetes cluster running ingress-nginx can migrate to Traefik without rewriting annotations one by one. 17

Also in v3.7.0: Gateway API v1.5.1 support (multiple certificateRefs, BackendTLSPolicy with secret-backed CA certs), Knative v1.20.0, service failover by status code, ACME CertificateTimeout option, and a Web UI certificate dashboard.

v3.7.1 (May 11): patches CVE-2026-44774 (GHSA-96qj-4jj5-wcjc), adds CrossProviderNamespaces for Kubernetes providers, fixes cross-provider reference validation in the CRD provider. The same fix was backported to v3.6.17 and v2.11.46 on the same day — Traefik maintains three version lines simultaneously. 18

Pattern to borrow: middleware as a composable pipeline. Traefik attaches middleware (rate limiting, circuit breaking, auth, compression, redirect, retry) to routes declaratively. Each middleware handles one concern and is stateless. You can add retry logic to a specific route without modifying service code, toggle compression per-route, or chain auth → rate-limit → compress via a single annotation. Any HTTP-layer tool can adopt this separation of "routing decision" from "transformation chain."

8. laurent22/joplin — 54,800★ (+216/week)

Language: TypeScript · License: AGPL-3.0-or-later · Latest stable: v3.6.11, May 8, 2026 · Pre-release: v3.7.1, May 11, 2026

Joplin is a note-taking app for Windows, Linux, macOS, Android, and iOS, with a browser Web Clipper. Its technical differentiator is the sync layer: instead of locking to a specific storage provider, sync is abstracted behind a filesystem-like driver interface. You can sync to Joplin Cloud, Nextcloud, S3, WebDAV, Dropbox, OneDrive, or a local folder — and switch backends without migrating data. 19 20

End-to-end encryption (E2EE) operates at the sync layer. A master key derived from your password encrypts notes before they leave your device — the storage provider never sees plaintext. 21

v3.6.11 (May 8, stable): improved OneNote import — ink conversion, large attachment handling, and special-character title sanitization. 22

v3.7.1 (May 11, pre-release): whiteboard support (new feature), post-quantum cryptography TLS, settings search, table editing commands, Electron upgrade to v40.9.2. 22

Pattern to borrow: filesystem-driver abstraction for sync. Define a minimal interface (read, write, list, delete, stat) and implement it once per backend. The app never calls S3 or WebDAV APIs directly — only the driver. Adding a new backend is a self-contained unit of work that doesn't touch anything else. Any app that needs to support multiple sync or storage backends can use this pattern to avoid coupling the data model to a specific provider.

9. hyprwm/Hyprland — 35,700★ (+221/week)

Language: C++ · License: BSD-3-Clause · Latest release: v0.55.0, May 9, 2026

Hyprland is a tiling Wayland compositor — the layer that manages windows, animations, and rendering on a Linux desktop. Its technical stance is full independence: no wlroots, no libweston, no KWin, no Mutter. The custom rendering pipeline is what makes advanced visual features possible without waiting for upstream compositor libraries. 23

v0.55.0 (May 9) — described by the project as a "massive update": 24

Spring animations: physics-based window motion replacing linear/ease curves
ICC color profile pipeline: per-monitor color management using ICC profiles
Glow decorations: configurable glow rendering around windows
Device-specific binds: keybindings scoped to a specific input device rather than global
Lua config improvements: ExpressionVec2, a simple layout API, and a clear tag API
Live pinch cursor zoom and scroll_move gestures

Four breaking changes: dwindle:pseudotile removed, decoration:shadow:ignore_window removed, render:cm_fs_passthrough removed, and misc:vfr moved to debug:.

Pattern to borrow: the dual UNIX socket IPC design. Hyprland exposes two sockets: .socket.sock (command/response, used by hyprctl) and .socket2.sock (a persistent event stream with 40+ event types). 25 This separation — command socket vs. event socket — applies to any daemon that external tools need to both control and observe. An event socket lets monitors, status bars, and scripts subscribe without polling.

10. gitleaks/gitleaks — 26,900★ (+288/week)

Language: Go · License: MIT · Latest release: v8.30.1, March 21, 2026

Gitleaks scans git history and file trees for secrets — API keys, tokens, credentials — using regex rules rather than machine learning. 26

The design is explicit. As maintainer Zachary Rice wrote: "When it comes to secret detection, regex is all you need. Almost." 27 TOML-based rule files define [[rules]] tables with regex patterns, entropy thresholds, keyword pre-filters, and allowlists. The default config ships rules for 150+ service token types (AWS, GCP, GitHub, GitLab, Slack, and more). Every rule is readable, auditable, and overridable — the opposite of a model-based scanner that gives you a score with no explanation.

Three scan modes: git (reads git log -p), dir (filesystem walk), stdin (pipe input). Three capability additions from recent releases: composite rules (v8.28.0) for requiring a secondary regex match within N lines or columns of a primary match; archive scanning (v8.27.0) for nested zip/tar inspection; and recursive decoding (v8.26.0) to catch percent-, hex-, and base64-encoded secrets. 26

CI integration: native GitHub Action (gitleaks/gitleaks-action@v2), pre-commit hook, and Docker images on both Docker Hub and ghcr.io.

This week: no new commits or releases in the May 5–11 window. The last release (v8.30.1) shipped March 21; the last commit was March 25. The +288 stars/week reflects sustained organic discovery, not an active release cycle.

Pattern to borrow: composite rule proximity matching. A bare regex against high-entropy strings generates false positives. The primary rule + required rules + withinLines/withinColumns constraint cuts noise sharply — you only flag a match when the high-entropy string appears near a context keyword like token or secret. This applies to any text analysis pipeline where a single-signal match is unreliable.

Four of the ten repos shipped releases during the May 5–11 window: Tabby (v1.0.233, May 7), Traefik (v3.7.0 on May 5 and v3.7.1 on May 11), Hyprland (v0.55.0, May 9), and Joplin (v3.6.11 stable May 8, v3.7.1 pre-release May 11). Three of the ten — awesome, free-for-dev, and awesome-mac — ran active community commit streams with no formal release cycle.