fidzu : javascript

#​788 - June 2, 2026

Read on the Web

JavaScript Weekly

Hocuspocus 4: Add Real-Time Collaboration to Any App - A plug-and-play real-time collaboration backend based on Yjs so you can quickly and safely wire up multi-user collaborative experiences into a JavaScript app. It runs on Node, Bun, Deno, or Cloudflare Workers. GitHub repo.

Tiptap

Still Writing Tests Manually? Meticulous AI Is Here - Notion, Dropbox, Wiz and LaunchDarkly now use a testing paradigm they can't work without. Built by former Palantir engineers, Meticulous automatically creates an evolving suite of E2E UI tests, delivering exhaustive coverage with no developer effort.

Meticulous sponsor

How to Evaluate an npm Package: 2026 Edition - A practical checklist for vetting packages beyond star counts, covering provenance attestation, install scripts, CI quality, and maintainer responsiveness. Learn to spot the red flags before you npm install.

Gabor Koos

IN BRIEF:

• 🕒 The popular date-fns date utility library is preparing for a Temporal shaped future and becoming a "Temporal-first library". For now, a much leaner v4.4 is available, and v5.0 just entered alpha.

• 🔒 In the latest surfacing of Shai-Hulud, dozens of Red Hat npm packages have been backdoored.

• npm 11.16.0 has shipped with initial (advisory warning only) support for an opt-in install-script policy using allowScripts. More details here.

• The Svelte team presents its latest monthly update.

RELEASES:

• Ember 7.0 - A major release for the long-standing framework to remove deprecated features. This post rounds up everything new since 6.0.

• Node.js 26.3.0 (Current) - npm is upgraded to 11.16.0, macOS x64 gets demoted to a tier 2 platform, and QUIC gets a big batch of improvements.

• Astro 6.4 - The web framework adds a pluggable Markdown pipeline, a Rust-based Markdown processor, and helpers for advanced routing on Cloudflare.

• pnpm 11.5.0/11.5.1, ESLint 10.4.1, Angular 22 RC3

📖 Articles and Videos

🤖 Using AI to Write Better Code More Slowly - A prolific JavaScript developer says LLMs aren't just for pumping out bad code quickly, they can indeed help you write higher quality code more slowly.

Nolan Lawson

TypeScript Tips Everyone Should Know - A concise set of tips for safer and cleaner code, as well as a reminder that while TypeScript can improve correctness, it doesn't guarantee good architecture or eliminate runtime bugs.

Matt Smith

Your Partition Scheme Made Sense. Then the Data Got Big - TimescaleDB extends Postgres so analytics queries stay fast at scale. No pipeline, no second database. $1000 credit.

Tiger Data (creators of TimescaleDB) sponsor

Intentionally Blocking Rendering with JavaScript - "Sometimes an inline render-blocking script is a small price to pay for avoiding aggressive layout shifts."

Jay Freestone

Why Does tsgo Use So Much Memory? - A look into the Go-powered TypeScript 7 compiler and why it can chew through gigabytes on a large project.

Zack Radisic

📄 CSS vs. JavaScript for Web Animations - Underlying performance differences and guidance on when to pick which approach. Josh W. Comeau

📄 Your Recursion is Lying to You - ES2015 specified tail call optimization, but most engines in 2026 don't support it. Gabor Koos

📄 How We Cut Build Times by Two-Thirds by Deleting Our CMS - The story of Sentry's Gatsby to Astro migration. Eli Lennox (Sentry)

📄 Creating a VS Code Agent Hook to Respond to File Changes Nicholas C. Zakas

🛠 Code & Tools

📊 Plotly 3.6: The Declarative Graphing Library - A long-standing library, also widely used in the Python and R ecosystems, that offers over 50 visualization types, from basic charts and graphs to maps, plots, and heatmaps.

Plotly, Inc.

Expo UI Is Stable. Real SwiftUI and Compose from JS - One import. SwiftUI on iOS, Jetpack Compose on Android. Plus native drop-in replacements for 7 community packages.

Expo sponsor

Component Party: A Rosetta Stone of UI Libraries - A side-by-side code snippet comparison of frameworks including React, Vue, Svelte, Angular, Ember, and more obscure options. Recent updates have extended Angular and Svelte coverage, plus added Ripple and Ember Polaris to the mix.

Mathieu Schimmerling

🎉 tsParticles 4: A Particle Engine for Web Effects - If you want a confetti cannon, fireworks, ribbons, fireflies, snow, or similar effects on your pages, this is for you. Supports all major frameworks and vanilla JS. You can see some live demos here.

Matteo Bruni

• 📝 officeParser 7.1 - Parse 'office' files (e.g. docx, pptx, xlsx, odt) into an AST. The in-browser demo shows off what's returned.

• 🔎 Fuse.js 7.4 - JavaScript fuzzy-search library. v7.4 adds support for parallel search powered by Web Workers. (Homepage)

• ESLint You Might Not Need An Effect 1.0 - ESLint/Oxlint plugin to catch when you might not need an Effect in React.

• PGlite 0.5 - Run a Postgres database locally in WASM with reactivity and live sync. v0.5 upgrades to Postgres 18.3.

• TinyBase 8.4 - A reactive data store and sync engine for local-first apps. Now with full SolidJS support.

• Sugar High 1.2 - 1KB syntax highlighter for JavaScript and JSX.

• Mantine 9.3 - Popular, extensive React component suite.

📢 Elsewhere in the ecosystem

• Programming language legend ▶️ Anders Hejlsberg was on The Pragmatic Engineer talking about his background, work on TypeScript, JavaScript's strengths and weaknesses, and how he uses AI.

• Kyle Simpson (of YDKJS fame) got in touch minutes before we hit send to let us know about @gql-x/Composer, a new library he's working on that's a JavaScript DSL for dynamically composing GraphQL query strings.

• A new way for sites to sneakily track users with JavaScript has been demonstrated. It involves analyzing SSD usage by using the Origin Private File System feature.

• 🤖 The results of the State of Web Dev AI 2026 survey are ready to enjoy with stats on AI use from over 7,000 developers.

#​787 - May 26, 2026

Read on the Web

JavaScript Weekly

JS Crossword: All the Answers are JavaScript - This hand-crafted puzzle will seriously stretch your JavaScript knowledge. I've seen so many people on social media either cheering having finished it or cursing being stuck…

Lyra Rebane

💡 I've put some (educational!) tips at the end of this issue.

Expo UI Hits Stable: Native iOS & Android from One Import - From a single import, @expo/ui ships SwiftUI on iOS and Jetpack Compose on Android with the real platform components underneath. SDK 56 also lands native drop-in replacements for seven common React Native community packages.

Expo sponsor

Staged Publishing for npm Packages Goes Live - npm's 'staged publishing' model provides a review period with approval required before packages go live on the npm registry. Both npm 11.15.0 and pnpm 11.3 have added support.

The npm Project

💡 In this broader writeup, GitHub also introduced npm's new --allow-* options to control over where npm is allowed to source packages from.

IN BRIEF:

• Firefox has added Web Serial support in Firefox 151 so you can connect to microcontrollers, 3D printers, and other serial-connected hardware from JS.

• Mozilla's Ryan Hunt says goodbye to asm.js as Firefox's JS engine now disables optimizations for it by default.

• 🤖 Modern Web Guidance is a suite of expert-vetted skills to guide agents in building modern web experiences, e.g. "begin preloading pages when users hover over important links."

• TC39 held its latest meeting last week - a roundup is due soon.

RELEASES:

• Storybook 10.4 - the frontend component workshop - has added first-class TanStack React support and the ability for agents to set up Storybook in complex apps.

• Node.js v26.2.0 (Current) and v24.16.0 (LTS)

• pnpm 11.3 - Adds pnpm stage for staged publishing, trustLockfile for setting controls around application of trust policies, native pkg, repo and set-script commands & more.

• npm 12.0 Prerelease, Apache ECharts 6.1 (Demos.)

📖 Articles and Videos

Chrome Previews Declarative Partial Updates - Two new sets of APIs for working with HTML out-of-order, whether in the doc itself (via <template for>) or through dynamic insertion (via setHTML/streamHTML). Experimental in Chrome 148 but polyfills exist.

Pollard and Rosenthal (Chrome)

Optimizing Our Build Times by Migrating from Webpack to Rspack - How Yelp cut build times in half with Rspack (a Rust-powered drop-in replacement for webpack) and what they learned about barrel files and re-exports.

Benson Pan (Yelp)

Unlimited Postgres for Developers and Their Agents - ghost gives your agent unlimited postgres forks. No project limits, no cleanup, 1TB storage, 100 hrs/mo free. Try for free

Ghost sponsor

Microsoft's Analysis of the Recent Mini Shai-Hulud Compromise - A detailed post-mortem of last week's 'Mini Shai-Hulud' npm security chain compromise.

Microsoft Defender Security Research Team

🤖 AI-Assisted Engineers are Burning Out: Is This Fine? - A look at the negative effects of AI-assisted coding and how to avoid burning yourself out. Ivan Chepurin

📄 A Simple Clustering Algorithm for Lists - Some algorithm fun. Cassidy Williams

🛠 Code & Tools

Deno 2.8: The 'Biggest Minor Release' to Date - The headline is that Node.js compatibility has jumped from 42% in Deno 2.7 to 76.4% now (higher than Bun). Deno also gets huge perf gains across the board and drops the npm: prefix requirement when adding/installing packages. Plus many other things, including:

• New commands including: audit fix to upgrade vulnerable dependencies, pack to build a project into a npm-publishable tarball, and why to see why a package has been installed.
• Web API support improvements, including OffscreenCanvas going stable.
• Node module.registerHooks() support.
• Chrome DevTools can now inspect Deno's network traffic.
• A built-in CPU profiler.
• import defer support.
• V8 14.9 and TypeScript 6.0.3.

Bartek Iwańczuk

10 Merged, 34 to Go: Fixing JS Observability Upstream - Every JS APM tool monkey-patches libraries. It breaks with ESM, bundlers, and non-Node runtimes. Here's how to fix it.

Sentry sponsor

📄 DOCX 9.7: Build Word .docx Files in JavaScript - A mature, comprehensive library for generating docx files both client and server side. There's a CodePen-based example with the basics, plus over 100 example scripts.

Dolan Miu

tinykeys 4.0: A Tiny, Modern Library for Keybindings - Has a very simple, straightforward API and the page includes live demos.

Jamie Kyle

An Official Node.js Codemod to Migrate from Axios to fetch - A codemod to transform code using Axios to using the Fetch API instead.

The Node.js Team

📱 Hot Updater: Self-Hosted Over-the-Air Updates for React Native - A way to deploy updates to apps without app store submissions.

Sungyu Kang

• 📊 Perspective 4.5 - Analytics and data viz component for large and streaming datasets.

• Partytown 0.14.0 - Relocate resource-intensive scripts into Web Workers.

• atproto TypeScript SDK Upgrades - Every package in the @atproto namespace has been rebuilt, and all are now shipped as ESM.

• Kysely 0.29.0 - Popular type-safe SQL query builder.

• Svader 1.0 - Create GPU-rendered Svelte components.

👀 JS Crossword Tips

The JS Crossword (featured at the top of the issue) is tough, so I have some educational tips and JS quirks to help you on your way:

• The crossword runs in the browser, so the window global object is in play. For example: find(0) and name return things in the browser, but not in Node.

• Look at the 'playground' beneath the puzzle. While a clue may say object, the expected result may be more detailed.

• A number like 67 can be represented multiple ways. For example: 0103 == 67 and 0x43 == 67

• You can go further with prefixes and suffixes on numbers. For example: 123., +123, and +123. all equal 123

• Assignments evaluate to the value that was assigned.

• Tagged template literals offer a… quirky way to call functions. Consider that this works in JS: console.log`hi` (though this is not equivalent to console.log('hi')).

• ' is not in the allowed character list.

#​786 - May 19, 2026

Read on the Web

JavaScript Weekly

RFC: It's Time for npm to Make Install Scripts Opt-In - npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default, and they've become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm). This RFC features further discussion of the idea and the tradeoffs involved.

Jamie Magee

💡 npq is a tool that makes npm installs safer. It stands in front of npm and audits packages before installing them, including the presence of pre/post install scripts.

How Depot Built a CI Orchestrator on AWS Lambda - Long-running CI orchestration without long-lived servers. Depot rebuilt their CI engine using AWS Lambda durable functions - stateful, callback-driven, and crash-recoverable. A deep dive into the run-workflow-job hierarchy powering Depot CI.

Depot sponsor

Mini Shai-Hulud Hits: 300+ Malicious npm Packages Published - The "Shai-Hulud" class of npm ecosystem attacks continues to rumble on. Today, hundreds more packages - including popular ones from the antv family and timeago.js - were hit.

SafeDep Team

IN BRIEF:

• 😱 Dr. Axel Rauschmayer (JavaScript legend and former JS Weekly editor) has taken his blog and JavaScript books off the Web due to being overwhelmed by AI crawlers. You can, however, still purchase his fantastic books here.

• The Bun saga continues. Despite once playing down its significance, the Rust-based rewrite of Bun has been merged, though there are questions over the quality of the AI-ported code. Much discussion ensued on Hacker News.

• The Deno team is teasing Deno 2.8, due to be released this week. Significant Node.js compatibility improvements, import defer, and TypeScript 6.0.3 support await.

• The Chrome and Edge teams are working on a new <install> HTML element for browsers to render a 'trusted install button' for PWAs.

• The Express.js project has an all new look, including a new site, logo, and improved docs.

RELEASES:

• Angular 22 Release Candidate - Final is due in early June. Expect signal-based forms and the OnPush change detection strategy becoming default.

• Bun 1.3.14 - The alternative JS runtime gets Bun.Image, more HTTP/2 and HTTP/3 support, and more Node compatibility improvements.

• ESLint Config Inspector 3.0 - A visual tool for inspecting and understanding your ESLint flat configs.

• TypeORM 1.0, ESLint 10.4.0, Relay 21.0, Rolldown 1.0.1

📖 Articles and Videos

🤖 Mark Erikson's Agent Setup, Workflow, and Tools - Mark, well known for maintaining Redux and creating Redux Toolkit, goes deep into his daily development workflow, including his use of OpenCode (an open source JavaScript-powered coding agent), how he manages his knowledge base, tasks, and more.

Mark Erikson

Clerk API Keys Are Now Generally Available - Let your users create credentials that delegate access to your API. Verify server-side, revoke instantly - all via the Backend SDK.

Clerk sponsor

📗 NodeBook: An Advanced Guide to Node.js Internals - Eight in-depth chapters for understanding Node.js internals, covering topics like event loop internals, what V8 does, streams, module resolution, and async/await.

Ishtmeet Singh

Soon We Can Finally Banish JavaScript to the ShadowRealm - A tour of the in-progress TC39 proposal for running JavaScript in an isolated 'pseudo-realm' with its own globals and intrinsics. Handy for third-party code or anything you want to keep away from global scope.

Mat Marquis

📄 Hardening TanStack After the npm Compromise - What TanStack is doing to improve supply chain security after an attacker published malicious versions of TanStack packages last week. The TanStack Team

📺 The TanStack Start Story: Tanner Linsley on Competing with Next.js - A candid 40-minute interview with TanStack's founder. Nuno Maduro

📄 Cross-Document View Transitions: The Gotchas Nobody Mentions Durgesh Rajubhai Pawar (CSS Tricks)

🛠 Code & Tools

Orval: Generate Type-Safe Clients from OpenAPI/Swagger Specs - Given a valid OpenAPI v3 or Swagger v2 spec, generate models, requests, hooks, and mocks for React, Vue, Svelte, Solid, and Hono apps, or even plain fetch.

Victor Bury

Brownies: Browser Storage as a Plain Object, With Change Events - One tiny API over cookies, localStorage, sessionStorage and IndexedDB. Typed values survive automatically, and you get subscribe() for change events.

Francisco Presencia

Querying a Billion Rows Shouldn't Freeze Your API - TimescaleDB extends Postgres so analytics queries stay fast at scale. No pipeline, no drift. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

🖼️ Pica 10.0: High Quality Image Resizing in the Browser - High quality in-browser image resizing that leans on WASM and Web Workers or falls back to pure JS as necessary. v10 is a modernization build (the first since 2021) that adds ESM and split builds and migrates to TypeScript. GitHub repo.

Vitaly Puzrin

🗓️ SVAR Calendar: A Calendar Component for React, Svelte and Vue - A flexible calendar component with a MIT-licensed core and extended commercial version. Here's a live demo of the open source version.

XB Software Sp.

💡 Schedule-X is another great option in this space and v4.6 just landed.

Fate 1.0: A Modern Data Framework for React - A new data framework from former Jest lead and ex-Meta engineer Christoph Nakazawa.

Christoph Nakazawa

Alien Signals: 'The Lightest Signal Library' - Boils the best of Vue, Preact and Svelte's approaches down into the lightest signal library going. A push-pull reactivity core so well-tuned it got merged back into Vue.

Johnson Chu

• Critical 8.0 - Addy Osmani's library for extracting and inlining above-the-fold CSS into HTML.

• SQL Formatter 15.8 - Pretty-printer for SQL queries. (Demo)

• Shiki 4.1 - Popular, powerful syntax highlighter.

• Redux Toolkit 2.12.0 and React Redux 9.3

• Vue.js Language Tools 3.3

📢 Elsewhere in the ecosystem

• Andrea Giammarchi proposes JSONRegistry (above), an alternative to JSON that lets you define a registry for serializing and reviving custom/branded types.

• 🐝 Wasp is a Rails-like framework for Node, React and Prisma. It started life as a new programming language of its own before moving to JavaScript. Founder Matija Sosic tells the story in 5 Years and $5M Later: Inventing a New Programming Language for Web Development Was a Mistake.

• Did you know that some browsers render certain sites 'differently' on an ad hoc basis? Firefox and Safari ship with built-in 'tweaks' for popular sites to fix elements that don't render correctly by default.

• 🤖 Simon Willison shares a quick look at the last six months in LLMs.