fidzu : javascript

#​787 - May 26, 2026

Read on the Web

JavaScript Weekly

JS Crossword: All the Answers are JavaScript - This hand-crafted puzzle will seriously stretch your JavaScript knowledge. I've seen so many people on social media either cheering having finished it or cursing being stuck…

Lyra Rebane

💡 I've put some (educational!) tips at the end of this issue.

Expo UI Hits Stable: Native iOS & Android from One Import - From a single import, @expo/ui ships SwiftUI on iOS and Jetpack Compose on Android with the real platform components underneath. SDK 56 also lands native drop-in replacements for seven common React Native community packages.

Expo sponsor

Staged Publishing for npm Packages Goes Live - npm's 'staged publishing' model provides a review period with approval required before packages go live on the npm registry. Both npm 11.15.0 and pnpm 11.3 have added support.

The npm Project

💡 In this broader writeup, GitHub also introduced npm's new --allow-* options to control over where npm is allowed to source packages from.

IN BRIEF:

• Firefox has added Web Serial support in Firefox 151 so you can connect to microcontrollers, 3D printers, and other serial-connected hardware from JS.

• Mozilla's Ryan Hunt says goodbye to asm.js as Firefox's JS engine now disables optimizations for it by default.

• 🤖 Modern Web Guidance is a suite of expert-vetted skills to guide agents in building modern web experiences, e.g. "begin preloading pages when users hover over important links."

• TC39 held its latest meeting last week - a roundup is due soon.

RELEASES:

• Storybook 10.4 - the frontend component workshop - has added first-class TanStack React support and the ability for agents to set up Storybook in complex apps.

• Node.js v26.2.0 (Current) and v24.16.0 (LTS)

• pnpm 11.3 - Adds pnpm stage for staged publishing, trustLockfile for setting controls around application of trust policies, native pkg, repo and set-script commands & more.

• npm 12.0 Prerelease, Apache ECharts 6.1 (Demos.)

📖 Articles and Videos

Chrome Previews Declarative Partial Updates - Two new sets of APIs for working with HTML out-of-order, whether in the doc itself (via <template for>) or through dynamic insertion (via setHTML/streamHTML). Experimental in Chrome 148 but polyfills exist.

Pollard and Rosenthal (Chrome)

Optimizing Our Build Times by Migrating from Webpack to Rspack - How Yelp cut build times in half with Rspack (a Rust-powered drop-in replacement for webpack) and what they learned about barrel files and re-exports.

Benson Pan (Yelp)

Unlimited Postgres for Developers and Their Agents - ghost gives your agent unlimited postgres forks. No project limits, no cleanup, 1TB storage, 100 hrs/mo free. Try for free

Ghost sponsor

Microsoft's Analysis of the Recent Mini Shai-Hulud Compromise - A detailed post-mortem of last week's 'Mini Shai-Hulud' npm security chain compromise.

Microsoft Defender Security Research Team

🤖 AI-Assisted Engineers are Burning Out: Is This Fine? - A look at the negative effects of AI-assisted coding and how to avoid burning yourself out. Ivan Chepurin

📄 A Simple Clustering Algorithm for Lists - Some algorithm fun. Cassidy Williams

🛠 Code & Tools

Deno 2.8: The 'Biggest Minor Release' to Date - The headline is that Node.js compatibility has jumped from 42% in Deno 2.7 to 76.4% now (higher than Bun). Deno also gets huge perf gains across the board and drops the npm: prefix requirement when adding/installing packages. Plus many other things, including:

• New commands including: audit fix to upgrade vulnerable dependencies, pack to build a project into a npm-publishable tarball, and why to see why a package has been installed.
• Web API support improvements, including OffscreenCanvas going stable.
• Node module.registerHooks() support.
• Chrome DevTools can now inspect Deno's network traffic.
• A built-in CPU profiler.
• import defer support.
• V8 14.9 and TypeScript 6.0.3.

Bartek Iwańczuk

10 Merged, 34 to Go: Fixing JS Observability Upstream - Every JS APM tool monkey-patches libraries. It breaks with ESM, bundlers, and non-Node runtimes. Here's how to fix it.

Sentry sponsor

📄 DOCX 9.7: Build Word .docx Files in JavaScript - A mature, comprehensive library for generating docx files both client and server side. There's a CodePen-based example with the basics, plus over 100 example scripts.

Dolan Miu

tinykeys 4.0: A Tiny, Modern Library for Keybindings - Has a very simple, straightforward API and the page includes live demos.

Jamie Kyle

An Official Node.js Codemod to Migrate from Axios to fetch - A codemod to transform code using Axios to using the Fetch API instead.

The Node.js Team

📱 Hot Updater: Self-Hosted Over-the-Air Updates for React Native - A way to deploy updates to apps without app store submissions.

Sungyu Kang

• 📊 Perspective 4.5 - Analytics and data viz component for large and streaming datasets.

• Partytown 0.14.0 - Relocate resource-intensive scripts into Web Workers.

• atproto TypeScript SDK Upgrades - Every package in the @atproto namespace has been rebuilt, and all are now shipped as ESM.

• Kysely 0.29.0 - Popular type-safe SQL query builder.

• Svader 1.0 - Create GPU-rendered Svelte components.

👀 JS Crossword Tips

The JS Crossword (featured at the top of the issue) is tough, so I have some educational tips and JS quirks to help you on your way:

• The crossword runs in the browser, so the window global object is in play. For example: find(0) and name return things in the browser, but not in Node.

• Look at the 'playground' beneath the puzzle. While a clue may say object, the expected result may be more detailed.

• A number like 67 can be represented multiple ways. For example: 0103 == 67 and 0x43 == 67

• You can go further with prefixes and suffixes on numbers. For example: 123., +123, and +123. all equal 123

• Assignments evaluate to the value that was assigned.

• Tagged template literals offer a… quirky way to call functions. Consider that this works in JS: console.log`hi` (though this is not equivalent to console.log('hi')).

• ' is not in the allowed character list.

#​786 - May 19, 2026

Read on the Web

JavaScript Weekly

RFC: It's Time for npm to Make Install Scripts Opt-In - npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default, and they've become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm). This RFC features further discussion of the idea and the tradeoffs involved.

Jamie Magee

💡 npq is a tool that makes npm installs safer. It stands in front of npm and audits packages before installing them, including the presence of pre/post install scripts.

How Depot Built a CI Orchestrator on AWS Lambda - Long-running CI orchestration without long-lived servers. Depot rebuilt their CI engine using AWS Lambda durable functions - stateful, callback-driven, and crash-recoverable. A deep dive into the run-workflow-job hierarchy powering Depot CI.

Depot sponsor

Mini Shai-Hulud Hits: 300+ Malicious npm Packages Published - The "Shai-Hulud" class of npm ecosystem attacks continues to rumble on. Today, hundreds more packages - including popular ones from the antv family and timeago.js - were hit.

SafeDep Team

IN BRIEF:

• 😱 Dr. Axel Rauschmayer (JavaScript legend and former JS Weekly editor) has taken his blog and JavaScript books off the Web due to being overwhelmed by AI crawlers. You can, however, still purchase his fantastic books here.

• The Bun saga continues. Despite once playing down its significance, the Rust-based rewrite of Bun has been merged, though there are questions over the quality of the AI-ported code. Much discussion ensued on Hacker News.

• The Deno team is teasing Deno 2.8, due to be released this week. Significant Node.js compatibility improvements, import defer, and TypeScript 6.0.3 support await.

• The Chrome and Edge teams are working on a new <install> HTML element for browsers to render a 'trusted install button' for PWAs.

• The Express.js project has an all new look, including a new site, logo, and improved docs.

RELEASES:

• Angular 22 Release Candidate - Final is due in early June. Expect signal-based forms and the OnPush change detection strategy becoming default.

• Bun 1.3.14 - The alternative JS runtime gets Bun.Image, more HTTP/2 and HTTP/3 support, and more Node compatibility improvements.

• ESLint Config Inspector 3.0 - A visual tool for inspecting and understanding your ESLint flat configs.

• TypeORM 1.0, ESLint 10.4.0, Relay 21.0, Rolldown 1.0.1

📖 Articles and Videos

🤖 Mark Erikson's Agent Setup, Workflow, and Tools - Mark, well known for maintaining Redux and creating Redux Toolkit, goes deep into his daily development workflow, including his use of OpenCode (an open source JavaScript-powered coding agent), how he manages his knowledge base, tasks, and more.

Mark Erikson

Clerk API Keys Are Now Generally Available - Let your users create credentials that delegate access to your API. Verify server-side, revoke instantly - all via the Backend SDK.

Clerk sponsor

📗 NodeBook: An Advanced Guide to Node.js Internals - Eight in-depth chapters for understanding Node.js internals, covering topics like event loop internals, what V8 does, streams, module resolution, and async/await.

Ishtmeet Singh

Soon We Can Finally Banish JavaScript to the ShadowRealm - A tour of the in-progress TC39 proposal for running JavaScript in an isolated 'pseudo-realm' with its own globals and intrinsics. Handy for third-party code or anything you want to keep away from global scope.

Mat Marquis

📄 Hardening TanStack After the npm Compromise - What TanStack is doing to improve supply chain security after an attacker published malicious versions of TanStack packages last week. The TanStack Team

📺 The TanStack Start Story: Tanner Linsley on Competing with Next.js - A candid 40-minute interview with TanStack's founder. Nuno Maduro

📄 Cross-Document View Transitions: The Gotchas Nobody Mentions Durgesh Rajubhai Pawar (CSS Tricks)

🛠 Code & Tools

Orval: Generate Type-Safe Clients from OpenAPI/Swagger Specs - Given a valid OpenAPI v3 or Swagger v2 spec, generate models, requests, hooks, and mocks for React, Vue, Svelte, Solid, and Hono apps, or even plain fetch.

Victor Bury

Brownies: Browser Storage as a Plain Object, With Change Events - One tiny API over cookies, localStorage, sessionStorage and IndexedDB. Typed values survive automatically, and you get subscribe() for change events.

Francisco Presencia

Querying a Billion Rows Shouldn't Freeze Your API - TimescaleDB extends Postgres so analytics queries stay fast at scale. No pipeline, no drift. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

🖼️ Pica 10.0: High Quality Image Resizing in the Browser - High quality in-browser image resizing that leans on WASM and Web Workers or falls back to pure JS as necessary. v10 is a modernization build (the first since 2021) that adds ESM and split builds and migrates to TypeScript. GitHub repo.

Vitaly Puzrin

🗓️ SVAR Calendar: A Calendar Component for React, Svelte and Vue - A flexible calendar component with a MIT-licensed core and extended commercial version. Here's a live demo of the open source version.

XB Software Sp.

💡 Schedule-X is another great option in this space and v4.6 just landed.

Fate 1.0: A Modern Data Framework for React - A new data framework from former Jest lead and ex-Meta engineer Christoph Nakazawa.

Christoph Nakazawa

Alien Signals: 'The Lightest Signal Library' - Boils the best of Vue, Preact and Svelte's approaches down into the lightest signal library going. A push-pull reactivity core so well-tuned it got merged back into Vue.

Johnson Chu

• Critical 8.0 - Addy Osmani's library for extracting and inlining above-the-fold CSS into HTML.

• SQL Formatter 15.8 - Pretty-printer for SQL queries. (Demo)

• Shiki 4.1 - Popular, powerful syntax highlighter.

• Redux Toolkit 2.12.0 and React Redux 9.3

• Vue.js Language Tools 3.3

📢 Elsewhere in the ecosystem

• Andrea Giammarchi proposes JSONRegistry (above), an alternative to JSON that lets you define a registry for serializing and reviving custom/branded types.

• 🐝 Wasp is a Rails-like framework for Node, React and Prisma. It started life as a new programming language of its own before moving to JavaScript. Founder Matija Sosic tells the story in 5 Years and $5M Later: Inventing a New Programming Language for Web Development Was a Mistake.

• Did you know that some browsers render certain sites 'differently' on an ad hoc basis? Firefox and Safari ship with built-in 'tweaks' for popular sites to fix elements that don't render correctly by default.

• 🤖 Simon Willison shares a quick look at the last six months in LLMs.

#​785 - May 12, 2026

Read on the Web

JavaScript Weekly

Anatomy of the TanStack npm Compromise - A new strain of the Shai-Hulud worm pushed malicious versions of TanStack packages to npm yesterday (containing a tripwire that would delete files if it detected token revocation), though it hit ~170 other packages too. Maintainer credentials weren't stolen, with the attack instead chaining pull_request_target abuse, cache poisoning, and OIDC token theft from CI memory.

Tanner Linsley

❓ What should you do? Consider an install-time cooldown (e.g. with npm config set min-release-age=7 or pnpm's minimumReleaseAge), as the packages were only compromised for 26 minutes. Plus, audit your GitHub Actions workflows for security issues with a tool like zizmor.

Next.js Debugging Workshop: Logs, Tracing, Full Context - Stop jumping between tools to piece together a Next.js bug. Sentry's hands-on workshop shows you how to write logs that explain where, what, and why, then connect them to traces across client and Node runtimes. Register today.

Sentry sponsor

Announcing Rolldown 1.0: The High Performance JS Bundler - The Rust-based bundler built as the backbone for Vite 8 reaches a stable v1.0. You get huge performance gains, but with Rollup plugin API compatibility: it's 10-30x faster than Rollup, with early adopters reporting big drops in build time.

The VoidZero Team

IN BRIEF:

• The notes from Node.js's recent collaboration summit make for good reading if you want to see what the Node team is working on right now.

• Regarding Bun's experimental port to Rust (from Zig), Jarred Sumner says the now-960k LOC rewrite passes 99.8% of Bun's pre-existing test suite.

• 🤖 A developer has launched a challenge to port NetHack to JavaScript. Can LLMs port the complex roguelike game perfectly? So far, no, with the leaderboard showing a transpiled version coming closest.

• Did you know Firefox has a $$$ helper for querying through the Shadow DOM?

RELEASES:

• Jest 30.4.0 - A strong release for the popular JavaScript testing framework as it improves ESM, Temporal and React 19 support.

• Node 26.1 (Current) - Last week's big Node 26 release may have had the Temporal API, but 26.1 adds (experimental) official FFI support. I did a writeup of what this means at the end of last week's Node Weekly.

• Electron 42 - Updates to Chromium 148/Node 24.15/V8 14.8 and no longer downloads the Electron binary in a postinstall script for added security.

• Capacitor 9.0 Alpha 1, Playwright 1.60.0, Mantine 9.2

📖 Articles and Videos

33 JavaScript Concepts - What began life as a Medium article and turned into a popular GitHub repo is now a full site covering a wide array of JavaScript concepts, even going beyond the 33.

Leonardo Maldonado

9 Times the Web Platform Was Influenced by JavaScript Libraries - How various libraries like Lodash, Dojo and jQuery often did the "R&D work in production" for various features that eventually ended up in browser APIs.

Jad Joubran

Easy and Rapid Azure Migrations. Azure Copilot Migration Agent - Check out Microsoft's Introduction to Azure Copilot Agents free learning module to learn more and try it yourself.

Microsoft Azure Copilot Migration Agent sponsor

From React to Web Components: A Migration That Saved 100 KB - "How I migrated a site from React to native Web Components, why that worked better than I expected, and how the patterns I used along the way grew into a small library called nanotags."

Pavel Grinchenko (Evil Martians)

Why Migrate to Valibot? - Valibot is a light, modular TypeScript schema validation library and an alternative to the likes of Zod. v1.4.0 just dropped, too.

Fabian Hiller

📄 A Vanilla Routing Experiment - A look at the tripping points when building client-side routing for a small site without using a framework. Daniela Baron

📄 Preserving DOM Changes Across Live Reloads Kitty Giraudel

📄 I Keep Tripping Over true, false, true Matt Smith

📄 Stop Using Yarn Classic Nicolas Charpentier

📄 Introducing TanStack Form Adam Rackis

🛠 Code & Tools

zero-native: Build Desktop Apps with Zig + WebView - Vercel Labs' entry into the Neutralinojs/Electron/Tauri space for building native HTML+JS desktop apps atop a Zig core and the system WebView or Chromium. There are examples covering how to build vanilla, React, Svelte, and Vue apps on it. GitHub repo.

Vercel

That API Call Takes 3 Seconds. It's Not the Network - It's the analytics query behind it. TimescaleDB extends Postgres so queries stay fast at scale. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

Wakaru: Pull Apart Minified JavaScript Bundles - A tool you can feed minified bundled code and get readable modules back, whether for recovering code, reverse-engineering, or security auditing. You can try it online here.

Pionxzh

BlueJS: Compile JavaScript to Tiny Binaries - An ahead-of-time compiler for JavaScript with QuickJS optionally embedded for dynamic features and package support. While closed source, the raw numbers are compelling (~5ms startup; 3.8MB peak memory use, and a GUI app in a 1.2MB binary).

BlueJS

💡 PerryTS is another (open source) option in this space worth a look.

• pnpm 11.1 - Supports a new gh: prefix for GitHub Packages, pnpm bugs opens a package's bug tracker in the browser, and pnpm audit signatures verifies ECDSA registry signatures against keys.

• Astro 6.3 - Adds experimental support for advanced routing: control how requests flow through your app, with full support for frameworks like Hono.

• Syncpack 15.0 - Large JavaScript monorepo dependency version manager. Now with full support for pnpm and Bun catalogs.

• 📱 Expo SDK 56 Beta - The popular React Native framework gets a speed boost and the Jetpack Compose and SwiftUI APIs go stable.

• MDXEditor 4.0 - Powerful Markdown editor React component.