fidzu : javascript

#​785 - May 12, 2026

Read on the Web

JavaScript Weekly

Anatomy of the TanStack npm Compromise - A new strain of the Shai-Hulud worm pushed malicious versions of TanStack packages to npm yesterday (containing a tripwire that would delete files if it detected token revocation), though it hit ~170 other packages too. Maintainer credentials weren't stolen, with the attack instead chaining pull_request_target abuse, cache poisoning, and OIDC token theft from CI memory.

Tanner Linsley

❓ What should you do? Consider an install-time cooldown (e.g. with npm config set min-release-age=7 or pnpm's minimumReleaseAge), as the packages were only compromised for 26 minutes. Plus, audit your GitHub Actions workflows for security issues with a tool like zizmor.

Next.js Debugging Workshop: Logs, Tracing, Full Context - Stop jumping between tools to piece together a Next.js bug. Sentry's hands-on workshop shows you how to write logs that explain where, what, and why, then connect them to traces across client and Node runtimes. Register today.

Sentry sponsor

Announcing Rolldown 1.0: The High Performance JS Bundler - The Rust-based bundler built as the backbone for Vite 8 reaches a stable v1.0. You get huge performance gains, but with Rollup plugin API compatibility: it's 10-30x faster than Rollup, with early adopters reporting big drops in build time.

The VoidZero Team

IN BRIEF:

• The notes from Node.js's recent collaboration summit make for good reading if you want to see what the Node team is working on right now.

• Regarding Bun's experimental port to Rust (from Zig), Jarred Sumner says the now-960k LOC rewrite passes 99.8% of Bun's pre-existing test suite.

• 🤖 A developer has launched a challenge to port NetHack to JavaScript. Can LLMs port the complex roguelike game perfectly? So far, no, with the leaderboard showing a transpiled version coming closest.

• Did you know Firefox has a $$$ helper for querying through the Shadow DOM?

RELEASES:

• Jest 30.4.0 - A strong release for the popular JavaScript testing framework as it improves ESM, Temporal and React 19 support.

• Node 26.1 (Current) - Last week's big Node 26 release may have had the Temporal API, but 26.1 adds (experimental) official FFI support. I did a writeup of what this means at the end of last week's Node Weekly.

• Electron 42 - Updates to Chromium 148/Node 24.15/V8 14.8 and no longer downloads the Electron binary in a postinstall script for added security.

• Capacitor 9.0 Alpha 1, Playwright 1.60.0, Mantine 9.2

📖 Articles and Videos

33 JavaScript Concepts - What began life as a Medium article and turned into a popular GitHub repo is now a full site covering a wide array of JavaScript concepts, even going beyond the 33.

Leonardo Maldonado

9 Times the Web Platform Was Influenced by JavaScript Libraries - How various libraries like Lodash, Dojo and jQuery often did the "R&D work in production" for various features that eventually ended up in browser APIs.

Jad Joubran

Easy and Rapid Azure Migrations. Azure Copilot Migration Agent - Check out Microsoft's Introduction to Azure Copilot Agents free learning module to learn more and try it yourself.

Microsoft Azure Copilot Migration Agent sponsor

From React to Web Components: A Migration That Saved 100 KB - "How I migrated a site from React to native Web Components, why that worked better than I expected, and how the patterns I used along the way grew into a small library called nanotags."

Pavel Grinchenko (Evil Martians)

Why Migrate to Valibot? - Valibot is a light, modular TypeScript schema validation library and an alternative to the likes of Zod. v1.4.0 just dropped, too.

Fabian Hiller

📄 A Vanilla Routing Experiment - A look at the tripping points when building client-side routing for a small site without using a framework. Daniela Baron

📄 Preserving DOM Changes Across Live Reloads Kitty Giraudel

📄 I Keep Tripping Over true, false, true Matt Smith

📄 Stop Using Yarn Classic Nicolas Charpentier

📄 Introducing TanStack Form Adam Rackis

🛠 Code & Tools

zero-native: Build Desktop Apps with Zig + WebView - Vercel Labs' entry into the Neutralinojs/Electron/Tauri space for building native HTML+JS desktop apps atop a Zig core and the system WebView or Chromium. There are examples covering how to build vanilla, React, Svelte, and Vue apps on it. GitHub repo.

Vercel

That API Call Takes 3 Seconds. It's Not the Network - It's the analytics query behind it. TimescaleDB extends Postgres so queries stay fast at scale. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

Wakaru: Pull Apart Minified JavaScript Bundles - A tool you can feed minified bundled code and get readable modules back, whether for recovering code, reverse-engineering, or security auditing. You can try it online here.

Pionxzh

BlueJS: Compile JavaScript to Tiny Binaries - An ahead-of-time compiler for JavaScript with QuickJS optionally embedded for dynamic features and package support. While closed source, the raw numbers are compelling (~5ms startup; 3.8MB peak memory use, and a GUI app in a 1.2MB binary).

BlueJS

💡 PerryTS is another (open source) option in this space worth a look.

• pnpm 11.1 - Supports a new gh: prefix for GitHub Packages, pnpm bugs opens a package's bug tracker in the browser, and pnpm audit signatures verifies ECDSA registry signatures against keys.

• Astro 6.3 - Adds experimental support for advanced routing: control how requests flow through your app, with full support for frameworks like Hono.

• Syncpack 15.0 - Large JavaScript monorepo dependency version manager. Now with full support for pnpm and Bun catalogs.

• 📱 Expo SDK 56 Beta - The popular React Native framework gets a speed boost and the Jetpack Compose and SwiftUI APIs go stable.

• MDXEditor 4.0 - Powerful Markdown editor React component.

#​784 - May 5, 2026

Read on the Web

JavaScript Weekly

Remix 3 Enters Beta - It's No Longer a React Framework - Remix has quite the back story. Created by the duo behind React Router in 2020 and seen as an alternative to Next.js, Remix was acquired by Shopify in 2022 and its core ideas folded into React Router v7 in 2024. Now, a new direction: a full-stack, web standards-first framework with its own UI component model and… no React.

Michael Jackson (Remix)

Build AI Features That Get Better Over Time - Join Scott Moss for this detailed video course covering agentic systems, eval harnesses, RAG, and context engineering - everything you need to ship reliable, production-ready AI features.

Frontend Masters sponsor

Node.js 26.0.0 (Current) Released - A macOS build snafu pushed the release date out to today, but the latest version of Node is here, complete with Temporal API enabled by default, V8 14.6, and Undici 8. v26 is the 'current' cutting-edge release until October when it'll be promoted to LTS.

Rafael Gonzaga

IN BRIEF:

• Vitest is tightly coupled to Vite, but a maintainer has proposed making it "framework-agnostic" to support other build tools and runtimes.

• People on Hacker News got very excited to discuss an effort by Bun's Jarred Sumner to port Bun from Zig to Rust. Jarred turned up on the thread to cool things down. A Rust port is being attempted, but with no long-term intent to switch for now.

• The Svelte team has shared its latest monthly roundup, including the news that Svelte appears in ThoughtWorks' latest Technology Radar.

• Deno is getting experimental support for import defer (TC39 proposal) and may be the first runtime to support it.

RELEASES:

• PM2 7.0 - The Node.js process manager gets a refactor that slashes its dependency footprint, and extends cluster mode and the monitoring agent to Bun apps.

• Astro v7 Alpha - The web framework for content-driven websites teases its Vite 8-based, Rust compiler-driven version, alongside its v6.2 release.

• Electron 41.5 - The cross-platform desktop app framework adds support for Touch ID for WebAuthn on macOS.

• Ember 6.12 - The final 6.x release in preparation for Ember 7.0.

• ESLint 10.3, Zod 4.4, Babylon.js 9.5

📖 Articles and Videos

Testing Vue Components in the Browser - Julia sets up integration tests for her components that run entirely in the browser, sidestepping extraneous tooling, and shares issues she ran into around mounting components, waiting on the DOM, filling forms, and measuring coverage.

Julia Evans

Trustworthy JavaScript for the Open Web - Web Application Integrity, Consistency and Transparency (WAICT) is an emerging spec for cryptographically verifying that the JavaScript running in a user's browser matches what the site published (there's a full explainer here). A prototype is now live in Firefox Nightly.

The Firefox Security Team (Mozilla)

Breakpoints and console.log Is the Past, Time Travel Is the Future - 15x faster JavaScript debugging than with breakpoints and console.log, supports Vitest, Jest, Karma, Jasmine, and more.

Wallaby Team sponsor

📄 'I Got a $134 Cloudflare D1 Bill: Here's How I Cut It 95%' - Adventures in using SvelteKit on Cloudflare Workers with D1 (SQLite) and Drizzle ORM. Justin Ahinon

📄 'I Am Worried About Bun' - By a developer who's worried about the long term implications of Anthropic acquiring Bun. William Johnston

📄 Making Bluetooth Low Energy Work with JavaScript Ifedayo Agboola

🛠 Code & Tools

Anime.js 4.4: The Flexible JavaScript Animation Engine - At ten years old, the 'animate anything from JavaScript' library continues to get even better with a new scrambleText effect and auto-grid layout mode for stagger grids. The docs for Anime are truly top-tier and packed with examples.

Julian Garnier

Video Archiving with the Vonage Video API and React - Master four ways to record: capture audio-only, separate streams, or use Experience Composer for custom branded layouts.

Vonage sponsor

Formisch: A Modular, Type-Safe Form Library - A schema-based, headless form library for Preact, Qwik, React, SolidJS, Svelte and Vue that manages form state and validation (using Valibot). Try out some demos in the playground.

Open Circle

opentype.js: Read and Write OpenType Fonts - Get direct access to letterforms in the browser and Node.js. Has broad WOFF, OTF, and TTF support, and supports ligatures, kerning, and emojis. You can also create your own fonts from scratch. The new v1.3.5 release is a preview of the soon-to-land 2.0. GitHub repo.

Frederik De Bleser

View Transitions Mock: Non-Visual Polyfill for Same-Document View Transitions - A JS implementation of Same-Document View Transitions, without the visuals. Write one clean code path: supporting browsers get the transitions, non-supporting ones get an instant DOM swap, but the promises behave the same.

Google Chrome Labs

• 🎬 Mediabunny v1.42.0 - Read, write, and convert audio and video files in the browser. v1.42.0 notably adds HTTP Live Streaming (HLS) read/write support.

• pnpm v11.0.5 - The fast and efficient npm alternative has deployed many bugfixes since last week's big 11.0 release.

• Electrobun 1.18 - Build tiny cross-platform desktop apps atop Bun. (Changelog)

• useHotkeys 5.3 - React hook for using keyboard shortcuts in components.

• RxDB 17.2.0 - Fast, local-first, reactive database for JS apps.

📢 Elsewhere in the ecosystem

• How can you not love a project homepage where you're a cat in a convertible driving through an endless barrage of obstacles? Crashcat is a JavaScript 3D rigid body physics library built for games, simulations, and web experiences, complete with numerous fun examples.

• ✉️ Cloudflare has open sourced Agentic Inbox, a self-hosted React 19 and React Router 7-based web email app that ties together and heavily leans on numerous Cloudflare APIs.

• Ladybird is a "truly independent web browser" with its renderer and JS engine built entirely from scratch, with an alpha release due later this year. In the project's latest update they cover recent significant JS and CSS improvements.

• Tired of localhost:3000 on your projects? Vercel's Portless lets you run local dev servers using a more user-friendly .localhost hostname over HTTPS.

• Thales is a TypeScript to Lean compiler that type-checks a subset of TypeScript and emits a Lean sidecar, turning your code into a Lean module you can reason about.

#​783 - April 28, 2026

Read on the Web

JavaScript Weekly

pnpm 11.0 Released - You've heard about its benefits, but now the popular package management tool is even better. v11 sets minimumReleaseAge to one day by default, there's an SQLite-backed store index (faster installs!), native package publishing, pack-app, and more. There's a migration guide for v10 users. Work has also resumed on a Rust-powered port called Pacquet.

Zoltan Kochan

💡 On the topic of package managers, Aube is a new contender from the creator of Mise that focuses heavily on performance.

Still Writing Tests Manually? Meticulous AI Is Here - Notion, Dropbox, Wiz and LaunchDarkly now use a testing paradigm they can't work without. Built by former Palantir engineers, Meticulous automatically creates an evolving suite of E2E UI tests, delivering exhaustive coverage with no developer effort.

Meticulous sponsor

TypeScript 7.0 Beta: 10x Faster TypeScript Compilation - The Go-powered port with "about 10 times faster" compiler performance. TypeScript 6.0's deprecations and config changes will help you upgrade smoothly from v5 to v7. There are also changes to how to write your code to review. While v7 is considered "close to production-ready", a stable programmatic API won't arrive till v7.1.

Microsoft

IN BRIEF:

• Node.js v26.0 (Current) is expected later today, enabling Temporal API support by default after an upgrade to V8 14.6. Here's a preview of the release notes.

• Noticed GitHub being flakier than usual lately? Vlad Fedorov has a fresh official update on GitHub's reliability (including last week's merge queue incident).

• 🇪🇺 NodeConf EU is back. It's in Bologna, Italy this September 29-30. Tickets are on sale, and here's the CFP if you want to speak.

RELEASES:

• Rspack 2.0 - The fast, Rust-based webpack-compatible bundler is 10% faster than v1.7, performs better static analysis, and adds experimental RSC support. Rsbuild 2.0 was released too.

• Nuxt UI 4.7 - Vue UI library with 125+ components. v4.7 adds Listbox, and a Prompt component for displaying copy/pasteable AI prompts.

• 🌐 Lingui 6.0 - Popular framework and runtime agnostic JS i18n and l10n library.

• Transformers.js 4.2.0, Electron 41.3.0, Etherpad v2.7.0

📖 Articles and Videos

What's Actually New in JavaScript (And What's Coming Next) - You could read the specs and countless posts about each new language feature or... this post that brings everything relevant and useful from ES2025 and ES2026 into one place. Iterator helpers, Promise.try, Map.getOrInsert, using, Temporal, and much more, are covered.

Neciu Dan

Stop Guessing Where Your Next.js App Broke [Workshop] - Learn to trace Next.js errors back to their source using logs and tracing. Free workshop, register today

Sentry sponsor

📄 Debugging WASM in Chrome DevTools - Tips on using the Chrome DevTools' "very capable WASM debugger". Eli Bendersky

📄 Writing Node.js Addons with .NET Native AOT - You can now write native Node addons in .NET-based languages, such as C#. Drew Noakes (Microsoft)

📄 The Simplest C Function-to-WebAssembly-to-JS Pipeline Peter Cooper

📄 Upgrade Cypress to TypeScript 6.0 Gleb Bahmutov

🛠 Code & Tools

TSRX: A TypeScript Language Extension for Declarative UIs - A fresh attempt at improving upon JSX from a Svelte maintainer and former React core engineer. It includes control flow, scoped styles, and locals, and compiles to React, Preact, Solid and Ripple.

Dominic Gannaway

📊 Lightweight Charts™ 5.2: Fast Charts for Financial Data - A seven-year-old canvas-based charting library optimized for financial data use cases like rounded candle plots, box whisker plots, and dual range histograms. The homepage is full of interactive demos. GitHub repo.

TradingView

Clerk CLI: Manage Auth from Your Terminal - Detects your framework, scaffolds auth, and manages sign-in methods and session policies in code. Open source.

Clerk sponsor

Nano Stores 1.3: A Tiny (286 Bytes) State Manager - Atomic and derived stores for every major framework (including React) and vanilla JS. Worth a look if a tiny footprint and framework-agnostic design appeal to you.

Andrey Sitnik (Evil Martians)

BWIP-JS 4.10: Barcode Writer in Pure JavaScript - A library to generate barcodes using over 100 different standards. There's a live demo where you'll discover far more types of barcodes exist than you imagined.

Mark Warren

🍋 Fresh 2.3: Zero JS by Default, View Transitions, and More - Deno full-stack web framework (explained here) gains first-class WebSocket support, no longer ships any JavaScript for pages that don't need it, and makes using the View Transitions API a snap with a single attribute in your views.

Bartek Iwańczuk (Deno)

• 🎬 Mediabunny v1.41.0 - Powerful JavaScript toolkit for working with media files.

• hyperid 4.0 - Matteo Collina's fast unique ID generator for Node & browsers.

• Svelte Bricks 0.5 - Svelte masonry component with SSR support.

• focus-trap 8.1 - Trap focus within a DOM node. (Demo.)

• CheerpJ 4.3 - Run unmodified Java apps in the browser.

• qrcode.vue 3.9 - Vue component to generate QR codes.

📢 Elsewhere in the ecosystem

• 🎵 I've been dying to link to Chip Player JS again for a while now. It's a JavaScript powered online player and repository of over 300,000 MIDI, tracker, chiptune, and video game music files. It's fantastic for background music, and if you can remember a game, it's probably in here. Chrono Trigger's soundtrack is a particular favorite of mine.

• 📊 Datatype is an OpenType variable font that turns simple text expressions into inline charts with no JavaScript or images needed. For example: {l:10,50,30,80,20} gets rendered as an inline sparkline.

• 🤖 Cloudflare's new Is Your Site Agent-Ready? tool analyzes your site to "see how ready it is for AI agents."

• 🤖 Cloudflare has released a set of agent skills to help agentic development tools build on the Cloudflare platform.

• Sean Goedecke explains how good engineers write bad code at big companies.

• If all else fails, just stare at the wall for ten minutes.