fidzu : javascript

#​779 - March 31, 2026

Read on the Web

JavaScript Weekly

axios Package Compromised; Malicious Versions Added a Trojan Dependency - Axios is an HTTP library that gets 100M+ downloads a week, largely due to its legacy popularity. An attacker took advantage of that to roll out a version with a malicious dependency including a remote access trojan (though Axios' codebase itself was fine). This is big, as even if you don't use Axios, your dependencies might. Here's how to see if you're affected.

Ashish Kurmi

💡 More: Socket offers a more accessible breakdown. There's also a GitHub issue discussing the matter. It's worth considering pinning your dependencies, preventing post-install scripts from running (can be configured with npm but is the default in pnpm and Bun) and/or using cooldowns for dependency updates (using minimumReleaseAge in npm or pnpm's approach).

Still Writing Tests Manually? Meticulous AI Is Here - Notion, Dropbox, Wiz and LaunchDarkly now use a testing paradigm they can't work without. Built by former Palantir engineers, Meticulous automatically creates an evolving suite of E2E UI tests, delivering exhaustive coverage with no developer effort.

Meticulous sponsor

Transformers.js v4: Run AI Models in the Browser - Brings Hugging Face-hosted transformer models into JavaScript, so you can run NLP, vision, and audio models in-browser. v4 switches to a WebGPU runtime and is installable with npm. There are many live demos covering real-time speech transcription, using Qwen 3.5, and real-time video captioning.

Hugging Face

RELEASES:

• Inertia.js 3.0 - Glue between React, Vue and Svelte SPAs and non-JS server-side frameworks like Laravel, Rails and Django. More on v3 here.

• Node.js March 24, 2026 Security Releases - Including Node.js v25.8.2 (Current), v24.14.1 (LTS), v22.22.2 (LTS), and v20.20.2 (LTS).

• TanStack DB 0.6 - Now with persistence, offline support, and hierarchical data.

• Astro 6.1, Mantine 9.0, Ky 2.0 Prerelease, CKEditor 48.0, pnpm 10.33

📖 Articles and Videos

Signals: The Push-Pull Based Algorithm - A well-diagrammed ground-up explanation of how signals work internally, focusing on the push-pull algorithm at the core of reactivity in frameworks like Solid, Vue, and Angular.

Willy Brauner

🖼️ Your Options for Preloading Images with JavaScript - "There are a number of ways to preload an image on demand with JavaScript, each with their own strengths and drawbacks. Let's explore them."

Alex MacArthur

▶ Stop Guessing Where Your Next.js App Broke - 7 videos on error monitoring, replays, tracing, and alerts to debug across your Next.js stack. Watch now.

Sentry sponsor

A Gentle Intro to npm Workspaces (With Visuals) - Workspaces let you manage multiple packages in one repo and link local packages so they can import each other by name. npm may then hoist and deduplicate compatible dependencies during install.

Carlos Precioso

📄 'I Decompiled the White House's New App' - Among the surprises in the React Native app are a cookie/paywall bypass injector and dynamic loading of JavaScript from a random user's GitHub Pages... Thereallo

📄 Building a Scroll-Reactive 3D Gallery with Three.js, Velocity, and Mood-Based Backgrounds Houmahani Kane

📄 Why We Replaced Node.js with Bun for 5x Throughput Nick at Trigger

🛠 Code & Tools

Pretext: A Multiline Text Measurement and Layout Library - Cheng Lou, formerly a React core team member, caused a stir with this X post three days ago, racking up 22M impressions and getting 25k stars on this repo since. Why? People are very excited about the potential for real time web layouts! There are demos here if you want to see what the excitement is about, although the library itself is reasonably straightforward.

Cheng Lou

GitHub Actions 🤝Expo CI/CD Workflows - Keep GitHub Actions. Add Expo Workflows for mobile: M4 Pro builds, E2E tests, OTA. Let each tool handle what it's best at.

Expo sponsor

Knip v6: The Tool to Declutter Your JS/TS Projects - Knip is a go-to tool for finding and removing unused files, exports, and dependencies in projects. v6 integrates oxc for 2-4x performance gains (it tears through Astro in two seconds) and is largely a drop-in upgrade.

Lars Kappert

📺 ArtPlayer: A Modern, Full-Featured HTML5 Video Player - A straightforward way to get your own heavily-customizable YouTube-style player experience. There's a full, live demo/playground showing it off.

Harvey Zhao

Semiotic 3.0: React + D3 Data Visualization Framework - Does the basics well, but has some more unique offerings like choropleth maps, Sankey diagrams, flow maps, and violin plots, plus streaming data support.

nteract

• Heat.js 5.1 (above) - Generate heat maps, charts, and statistics to visualize date-based activity. Now with point/line chart support.

• numpy-ts 1.2 - NumPy implementation for TypeScript and JavaScript. Now at ~50% native performance and with Float16 support. (Homepage)

• ts-blank-space 0.8 - Pure JavaScript type-stripper using the TypeScript 6 parser.

• RxDB 17.0 - Reactive NoSQL database for JS apps with local-first capabilities.

• filesize.js 11.0.15 - Converts byte counts into human-readable file size strings.

• 💳 React Stripe.js 6.0 - Components for Stripe.js and Stripe Elements.

• css-select 7.0 - CSS selector compiler and engine. Now ESM.

• ESLint Markdown Plugin 8.0 - Lint Markdown with ESLint.

📢 Elsewhere in the ecosystem

• JetBrains' Java/Kotlin IDE IntelliJ IDEA now includes core JavaScript and TypeScript features for free (no Ultimate subscription needed).

• Vercel explains the work going on to make Next.js work better across cloud platforms. The Adapter API provides a way for platforms to adjust apps to suit their environment. OpenNext, Netlify, Cloudflare, AWS Amplify, and Google Cloud are all on board.

• 🤖 GitHub has announced, starting late April, data (including inputs and snippets) from Free/Pro/Pro+ Copilot users will be used, by default, to help train future AI models. You can opt out.

• 🤖 A developer noticed Copilot edited an 'ad' into one of his PRs! GitHub's Martin Woodward explained (on X) why it happened and said the 'feature' has been disabled.

• 🔠 Looking for a new IDE font option? CodingFont lets you find your ideal choice visually using a bracket-style faceoff. Noto Sans Mono won for me - not one I'd considered before!

#​778 - March 24, 2026

Read on the Web

JavaScript Weekly

Announcing TypeScript 6.0 - Over six months in the making, TypeScript 6.0 is designed to bridge the gap between its self-hosted compiler and the (almost ready) Go-powered native compiler of TypeScript 7.0 . There are new features (Temporal improvements, RegExp.escape, and more), but most important are the changes to help you prepare for 7.0:

• Numerous default changes: strict is now true, module is esnext, rootDir defaults to ., and more.
• A change that will affect many apps is types defaulting to [] rather than pulling in everything from node_modules/@types.
• Numerous deprecations: the es5 target, emitting AMD, UMD, and SystemJS modules, --baseUrl, and others.
• --stableTypeOrdering makes 6.0's type ordering behavior match 7.0's to help diagnose inference differences as you update.

Daniel Rosenwasser (Microsoft)

Add Excel-like Spreadsheet Functionality to Your JavaScript Apps - SpreadJS is the industry-leading JavaScript spreadsheet for adding advanced spreadsheet features to your enterprise apps. Build finance, analysis, budget, and other apps. Excel I/O, 500+ calc functions, tables, charts, and more. View demos now.

SpreadJS from MESCIUS inc sponsor

IN BRIEF:

• 🤖 The Node.js community is wrestling with the role that LLM-produced code should play in its implementation, with the once creator of the io.js fork starting a petition to say 'no' to contributions built with AI assistance.

• A large number of Deno employees announced (e.g.) they were departing the company last week. Deno employee Josh Collinsworth, not speaking for the company, noted "Deno is not going away. These are just hard times."

• 📗 Chibivue is a code project and associated online book that provides, and explains how to build for yourself, a minimal Vue.js implementation.

RELEASES:

• Next.js 16.2 - The React framework gets much faster next dev startup and ~50% faster rendering.

• Storybook 10.3.0 - The component workshop adds Vite 8, Next.js 16.2, and ESLint 10 support, plus a preview of an MCP server for React dev.

• ⚠️ All maintained Node.js versions are due security releases later today to address nine vulnerabilities.

• Deno 2.7.6 - deno eval auto-detects CJS vs ESM, and --cpu-prof-flamegraph generates interactive SVG flamegraphs.

• Bun 1.3.11, Valibot 1.3, ESLint 10.1

📖 Articles and Videos

The Three Pillars of JavaScript Bloat - Three reasons your node_modules is huge: needless ES3-era compat packages, micro-libraries with a single consumer, and ponyfills for APIs that shipped years ago! James, known for the e18e ecosystem performance project, offers some ways to calm the chaos.

James Garbutt

How Rewriting a Rust and WASM-Powered Parser in TypeScript Made it Faster - A counterintuitive result on the surface, but the WASM-JS boundary can introduce a serious performance penalty for many use cases, such that it can be 2-4x quicker to stay in the JS world.

Thesys Engineering Team

Clerk Auth for Chrome Extensions - Now in Vanilla JS - The Chrome Extension SDK now supports vanilla JS via createClerkClient(). Build popups and side panels without React. New quickstart included.

Clerk sponsor

📊 A React SSR Framework Performance Showdown - A large benchmark of TanStack Start, React Router, and Next.js under heavy load. The results led to patches benefitting both TanStack and React generally.

Matteo Collina (Platformatic)

Two React Design Choices Developers Don't Like, But Can't Avoid - Deferred state commits and dependency arrays on effects cause a lot of issues, but Ryan points out that signal-based alternatives (like Solid) only avoid them by staying synchronous.

Ryan Carniato

📄 JavaScript Thinks Everything's a Date - This is why we celebrate the progress of the Temporal API! Robert Gambee

📄 An Introductory Guide to Bookmarklets - Tiny bits of JavaScript saved in, and triggered by, bookmarks. Declan Chidlow

📺 How to Burn $30M on a JavaScript Framework - A five-minute retrospective of 2012's famo.us project. Fireship

📄 Node.js Worker Threads are Problematic, But They Work Great for Us Aaron Harper (Inngest)

🛠 Code & Tools

pnpm 11 Beta 0: A Sneak Peek - The efficiency-focused npm alternative continues its outsized impact on JS package management. It's moving to a SQLite-powered store, gets a configuration overhaul, and has stricter build security by default. Four new commands, too, including pnpm sbom for generating Software Bill of Materials JSON documents.

pnpm contributors

Edge.js: Running Node Apps Inside a WebAssembly Sandbox - A new, in-alpha runtime that maintains full Node compatibility while offering isolation via WebAssembly. Existing apps/modules run unmodified with system calls sandboxed, and the JS engine used is pluggable (between V8, JavaScriptCore and QuickJS). More info on the homepage.

Syrus Akbary (Wasmer)

Breakpoints and console.log Is the Past, Time Travel Is the Future - 15x faster JavaScript debugging than with breakpoints and console.log, supports Vitest, Jest, Karma, Jasmine, and more.

Wallaby Team sponsor

ArrowJS 1.0: Fast, Reactive UI Runtime Built on Platform Primitives - Built around ES modules, template literals and the DOM, it can also isolate component logic inside WASM sandboxes while rendering full inline DOM directly. First unveiled in 2022 by the creator of FormKit, it's now clearly finding its feet.

Justin Schroeder

Sugar High 1.0: A Lightweight JSX Syntax Highlighter - Doesn't need React present, so you can use it for syntax highlighting JSX snippets anywhere. You can also theme it with CSS. GitHub repo.

Jiachi Liu

• htmlparser2 12.0 - Fast, forgiving HTML and XML parser focused on performance. Works both server-side and in the browser.

• 🔊 vue-audio-visual 3.1 - Vue 3 HTML5 audio visualization components using the Web Audio API. Check out the demos.

• Svelte SEO 2.1 - Optimize Svelte apps for search engines/social media with meta tags, Open Graph, and JSON-LD.

• pnpm/action-setup 5.0 - GitHub Action to install and configure pnpm. Now uses Node.js v24.

• ☎︎ vue-tel-input v9.8.0 - Vue component for global phone number input. (Demo.)

• Mediabunny 1.40.0 - Powerful toolkit for reading/writing/converting media files.

• 🗓️ EventCalendar 5.5 - Full-sized drag and drop event calendar.

• Maz UI 4.9 - Lightweight UI components for Vue 3 and Nuxt 3.

• React Joyride 3.0 - Create guided tours in React apps.

📢 Elsewhere in the ecosystem

• The Microsoft Visual Studio Code team shares how they use AI to work on VS Code, from organizing their work and handling issues, to pushing out new releases. If you've noticed VS Code is getting a release every week now, this is why!

• 🔒 Perhaps more than ever, it's essential to ensure no secrets have sneaked into your repos. Secretlint is a linter dedicated to that task.

• Back in 1989, Rob Pike, famous for his work on both the Go programming language and co-creating UTF-8, wrote Rob Pike's 5 Rules of Programming which has gone viral this week and still apply in 2026!

• 🤖 Addy Osmani introduces us to comprehension debt. In a world of agent-produced code, the question is now not "how do we generate more code?" but "how do we actually understand more of what we're shipping?"

•  Dislike all the menu icons that macOS 26 (Tahoe) has introduced? There's a solution: defaults write -g NSMenuEnableActionImages -bool NO

#​777 - March 17, 2026

Read on the Web

JavaScript Weekly

Temporal: The 9-Year Journey to Fix Time in JavaScript - JavaScript's date/time handling is notoriously messy and libraries like Moment.js became popular as a way to work around it. In 2017, Maggie Johnson-Pint, a maintainer of Moment.js, proposed the Temporal API to fix date/time handling for good, and we're mostly there (support is growing, with Safari and Node to catch up).

Jason Williams (Bloomberg)

Still Writing Tests Manually? Meticulous AI Is Here - Notion, Dropbox, Wiz and LaunchDarkly now use a testing paradigm they can't work without. Built by former Palantir engineers, Meticulous automatically creates an evolving suite of E2E UI tests, delivering exhaustive coverage with no developer effort.

Meticulous sponsor

Vite 8.0 Released - A mega release for the popular build tool. Designed to be a smooth upgrade, there's a lot behind the scenes: @vitejs/plugin-react v6 no longer needs Babel, Rolldown replaces Rollup and esbuild, Wasm SSR support, browser console forwarding to the terminal, and big performance gains.

Vite

💡 VoidZero has also open sourced its Vite+ toolkit. Originally intended to be a commercial project, Vite+ combines Vite, Vitest, Oxlint, Oxfmt, Rolldown, and tsdown into a single, unified toolchain, and it's now in alpha.

IN BRIEF:

• Sarah Gooding rounds up last week's TC39 meeting and the proposals that advanced there, including Temporal, Import Text, Error Stack Accessor, and Iterator Includes.

• 😆 BigInt.PI = 3? Enjoy qntm's tongue-in-cheek proposal to add mathematical constants to BigInt.

• Laurent Cazanove rounds up what was announced at last week's Vue.js Amsterdam conference, including Vue Router 5, Vite 8, and Void Cloud.

RELEASES:

• Electron 41.0 - The cross-platform desktop app framework adds ASAR Integrity digest and MSIX auto-updating support, improves Wayland support, and updates to Chromium 146, Node v24.14.0, and V8 14.6.

• Nitro v3 Beta - Extend your Vite app with a production-ready server, compatible with any runtime. Handy if you want to try building your own framework!

• Vitest 4.1 - Next-gen testing framework, now supporting Vite 8.

• Preact 10.29.0, Prisma 7.5.0, Babel 8.0 RC3, Vue 3.6.0 Beta 8

📖 Articles and Videos

Source Maps: Shipping Features Through Standards - Source maps are JSON files that provide debuggers and similar tools with a mapping between minified/transformed code and the original codebase. Jon gives us a tour and takes us behind the scenes of how the feature has progressed towards becoming a standard (ECMA-426).

Jon Kuperman (Bloomberg)

How we Rewrote 130K Lines from React to Svelte in Two Weeks - A common adage in recent months has been that the use of LLMs and coding agents could lock us into using only the most popular frameworks, but in reality they also make switching between frameworks easier than ever before.

Strawberry

Your Slowest Endpoint Is Probably an Analytics Query - TimescaleDB extends Postgres so analytics queries stay fast at scale. Hypertables, 95% compression, live data. Start for free.

Tiger Data (creators of TimescaleDB) sponsor

Best Practices for Svelte Developers - A brand new page in the Svelte docs that outlines some best practices for writing more robust Svelte apps.

Svelte Docs

An Empirical Study of Frontend Memory Leaks - Analysis of five hundred React, Vue and Angular apps for patterns that lead to memory leaks. Missing timer cleanups and event listener removals cause the majority of problems.

Ko-Hsin Liang

Rewriting a 12-Year-Old JavaScript Library in TypeScript - Specifically, the Machina finite state machine library.

Jim Cowart

📄 Lies I Was Told About Collaborative Editing: Why We Don't Use Yjs Alex Clemmer

▶️ Breaking and Securing OAuth 2.0 in Frontends Philippe De Ryck

📄 How I Added Bluesky Likes to My Astro Blog Luciano Mammino

📄 Why Node.js Needs a Virtual File System Matteo Collina

📄 Native JSON Modules Are Finally Real Matt Smith

🛠 Code & Tools

Nuxt 4.4: The Full-Stack Vue Framework - The full-stack Vue framework that includes routing (now powered by Vue Router v5), server-side rendering, and data fetching out of the box now adds custom useFetch/useAsyncData factories, typed layout props, build profiling, and more.

Daniel Roe and the Nuxt Team

Reveal.js 6.0: The HTML Presentation Framework - A long-standing way to bring elegant presentations to anyone with a browser. v6.0 has some breaking changes, switches to Vite, and introduces an official React wrapper.

Hakim El Hattab

40-60% of Your Mobile Builds Don't Need to Happen - Expo Workflows is mobile CICD that detects whether your changes touch native code and skips the builds you don't need.

Expo Workflows sponsor

RedwoodSDK 1.0 Released: The Cloudflare-Native React Framework - A server-first React framework, built as a Vite plugin, that integrates deeply with the Cloudflare platform (why?) and its provision of workers, databases (D1), durable objects, storage (R2), AI APIs, etc.

Peter Pistorius

• Defuddle 0.14.0 - Get the main content of a page as Markdown. A modern implementation of the ideas behind Mozilla's Readability.

• Extension.js 3.9 - Framework for developing fast, unified cross-browser extensions with zero configuration.

• React Native Sandbox 0.5 - Run multiple, isolated RN instances within an app.

• XO 2.0 - Opinionated, configurable ESLint 10 wrapper with 'lots of goodies'.

• Poku 4.1 - Cross-platform test runner that supports Node, Bun, and Deno.

• sax js 1.6 - SAX-style streaming XML parser for Node and browsers.

• 📺 YouTube.js 17.0 - JavaScript client for YouTube's private API.

• Svelte SPA Router 5.0 - A router for Svelte 5 single-page apps.

• 📃 PDFKit 0.18 - PDF generation library for Node and browsers.

• Cypress ESLint Plugin v6.2.0 - ESLint plugin for Cypress tests.

📢 Elsewhere in the ecosystem

• 📈 In The 49MB Web Page, Shubham Bose expresses surprise at finding that loading a single NY Times page results in 422 network requests and 49 megabytes of data transferred. He reflects on the problems that have led to this being a common experience on news sites.

• Difftastic is a handy tool to diff code files based on syntax. It supports most popular languages including JavaScript and TypeScript.

• VS Code 1.111 has been released. It's notable as being the first release in VS Code's new weekly stable release cadence.

• Amazon S3 has introduced account regional namespaces for S3 buckets, a feature that will help prevent so-called 'bucketsquatting'.

• 🎂 Feeling old yet? Sticking with S3, Amazon's Sébastien Stormacq reflects on the ubiquitous AWS S3 cloud storage system turning 20 years old.