fidzu : javascript

#​786 - May 19, 2026

Read on the Web

JavaScript Weekly

RFC: It's Time for npm to Make Install Scripts Opt-In - npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default, and they've become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm). This RFC features further discussion of the idea and the tradeoffs involved.

Jamie Magee

💡 npq is a tool that makes npm installs safer. It stands in front of npm and audits packages before installing them, including the presence of pre/post install scripts.

How Depot Built a CI Orchestrator on AWS Lambda - Long-running CI orchestration without long-lived servers. Depot rebuilt their CI engine using AWS Lambda durable functions - stateful, callback-driven, and crash-recoverable. A deep dive into the run-workflow-job hierarchy powering Depot CI.

Depot sponsor

Mini Shai-Hulud Hits: 300+ Malicious npm Packages Published - The "Shai-Hulud" class of npm ecosystem attacks continues to rumble on. Today, hundreds more packages - including popular ones from the antv family and timeago.js - were hit.

SafeDep Team

IN BRIEF:

• 😱 Dr. Axel Rauschmayer (JavaScript legend and former JS Weekly editor) has taken his blog and JavaScript books off the Web due to being overwhelmed by AI crawlers. You can, however, still purchase his fantastic books here.

• The Bun saga continues. Despite once playing down its significance, the Rust-based rewrite of Bun has been merged, though there are questions over the quality of the AI-ported code. Much discussion ensued on Hacker News.

• The Deno team is teasing Deno 2.8, due to be released this week. Significant Node.js compatibility improvements, import defer, and TypeScript 6.0.3 support await.

• The Chrome and Edge teams are working on a new <install> HTML element for browsers to render a 'trusted install button' for PWAs.

• The Express.js project has an all new look, including a new site, logo, and improved docs.

RELEASES:

• Angular 22 Release Candidate - Final is due in early June. Expect signal-based forms and the OnPush change detection strategy becoming default.

• Bun 1.3.14 - The alternative JS runtime gets Bun.Image, more HTTP/2 and HTTP/3 support, and more Node compatibility improvements.

• ESLint Config Inspector 3.0 - A visual tool for inspecting and understanding your ESLint flat configs.

• TypeORM 1.0, ESLint 10.4.0, Relay 21.0, Rolldown 1.0.1

📖 Articles and Videos

🤖 Mark Erikson's Agent Setup, Workflow, and Tools - Mark, well known for maintaining Redux and creating Redux Toolkit, goes deep into his daily development workflow, including his use of OpenCode (an open source JavaScript-powered coding agent), how he manages his knowledge base, tasks, and more.

Mark Erikson

Clerk API Keys Are Now Generally Available - Let your users create credentials that delegate access to your API. Verify server-side, revoke instantly - all via the Backend SDK.

Clerk sponsor

📗 NodeBook: An Advanced Guide to Node.js Internals - Eight in-depth chapters for understanding Node.js internals, covering topics like event loop internals, what V8 does, streams, module resolution, and async/await.

Ishtmeet Singh

Soon We Can Finally Banish JavaScript to the ShadowRealm - A tour of the in-progress TC39 proposal for running JavaScript in an isolated 'pseudo-realm' with its own globals and intrinsics. Handy for third-party code or anything you want to keep away from global scope.

Mat Marquis

📄 Hardening TanStack After the npm Compromise - What TanStack is doing to improve supply chain security after an attacker published malicious versions of TanStack packages last week. The TanStack Team

📺 The TanStack Start Story: Tanner Linsley on Competing with Next.js - A candid 40-minute interview with TanStack's founder. Nuno Maduro

📄 Cross-Document View Transitions: The Gotchas Nobody Mentions Durgesh Rajubhai Pawar (CSS Tricks)

🛠 Code & Tools

Orval: Generate Type-Safe Clients from OpenAPI/Swagger Specs - Given a valid OpenAPI v3 or Swagger v2 spec, generate models, requests, hooks, and mocks for React, Vue, Svelte, Solid, and Hono apps, or even plain fetch.

Victor Bury

Brownies: Browser Storage as a Plain Object, With Change Events - One tiny API over cookies, localStorage, sessionStorage and IndexedDB. Typed values survive automatically, and you get subscribe() for change events.

Francisco Presencia

Querying a Billion Rows Shouldn't Freeze Your API - TimescaleDB extends Postgres so analytics queries stay fast at scale. No pipeline, no drift. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

🖼️ Pica 10.0: High Quality Image Resizing in the Browser - High quality in-browser image resizing that leans on WASM and Web Workers or falls back to pure JS as necessary. v10 is a modernization build (the first since 2021) that adds ESM and split builds and migrates to TypeScript. GitHub repo.

Vitaly Puzrin

🗓️ SVAR Calendar: A Calendar Component for React, Svelte and Vue - A flexible calendar component with a MIT-licensed core and extended commercial version. Here's a live demo of the open source version.

XB Software Sp.

💡 Schedule-X is another great option in this space and v4.6 just landed.

Fate 1.0: A Modern Data Framework for React - A new data framework from former Jest lead and ex-Meta engineer Christoph Nakazawa.

Christoph Nakazawa

Alien Signals: 'The Lightest Signal Library' - Boils the best of Vue, Preact and Svelte's approaches down into the lightest signal library going. A push-pull reactivity core so well-tuned it got merged back into Vue.

Johnson Chu

• Critical 8.0 - Addy Osmani's library for extracting and inlining above-the-fold CSS into HTML.

• SQL Formatter 15.8 - Pretty-printer for SQL queries. (Demo)

• Shiki 4.1 - Popular, powerful syntax highlighter.

• Redux Toolkit 2.12.0 and React Redux 9.3

• Vue.js Language Tools 3.3

📢 Elsewhere in the ecosystem

• Andrea Giammarchi proposes JSONRegistry (above), an alternative to JSON that lets you define a registry for serializing and reviving custom/branded types.

• 🐝 Wasp is a Rails-like framework for Node, React and Prisma. It started life as a new programming language of its own before moving to JavaScript. Founder Matija Sosic tells the story in 5 Years and $5M Later: Inventing a New Programming Language for Web Development Was a Mistake.

• Did you know that some browsers render certain sites 'differently' on an ad hoc basis? Firefox and Safari ship with built-in 'tweaks' for popular sites to fix elements that don't render correctly by default.

• 🤖 Simon Willison shares a quick look at the last six months in LLMs.

#​785 - May 12, 2026

Read on the Web

JavaScript Weekly

Anatomy of the TanStack npm Compromise - A new strain of the Shai-Hulud worm pushed malicious versions of TanStack packages to npm yesterday (containing a tripwire that would delete files if it detected token revocation), though it hit ~170 other packages too. Maintainer credentials weren't stolen, with the attack instead chaining pull_request_target abuse, cache poisoning, and OIDC token theft from CI memory.

Tanner Linsley

❓ What should you do? Consider an install-time cooldown (e.g. with npm config set min-release-age=7 or pnpm's minimumReleaseAge), as the packages were only compromised for 26 minutes. Plus, audit your GitHub Actions workflows for security issues with a tool like zizmor.

Next.js Debugging Workshop: Logs, Tracing, Full Context - Stop jumping between tools to piece together a Next.js bug. Sentry's hands-on workshop shows you how to write logs that explain where, what, and why, then connect them to traces across client and Node runtimes. Register today.

Sentry sponsor

Announcing Rolldown 1.0: The High Performance JS Bundler - The Rust-based bundler built as the backbone for Vite 8 reaches a stable v1.0. You get huge performance gains, but with Rollup plugin API compatibility: it's 10-30x faster than Rollup, with early adopters reporting big drops in build time.

The VoidZero Team

IN BRIEF:

• The notes from Node.js's recent collaboration summit make for good reading if you want to see what the Node team is working on right now.

• Regarding Bun's experimental port to Rust (from Zig), Jarred Sumner says the now-960k LOC rewrite passes 99.8% of Bun's pre-existing test suite.

• 🤖 A developer has launched a challenge to port NetHack to JavaScript. Can LLMs port the complex roguelike game perfectly? So far, no, with the leaderboard showing a transpiled version coming closest.

• Did you know Firefox has a $$$ helper for querying through the Shadow DOM?

RELEASES:

• Jest 30.4.0 - A strong release for the popular JavaScript testing framework as it improves ESM, Temporal and React 19 support.

• Node 26.1 (Current) - Last week's big Node 26 release may have had the Temporal API, but 26.1 adds (experimental) official FFI support. I did a writeup of what this means at the end of last week's Node Weekly.

• Electron 42 - Updates to Chromium 148/Node 24.15/V8 14.8 and no longer downloads the Electron binary in a postinstall script for added security.

• Capacitor 9.0 Alpha 1, Playwright 1.60.0, Mantine 9.2

📖 Articles and Videos

33 JavaScript Concepts - What began life as a Medium article and turned into a popular GitHub repo is now a full site covering a wide array of JavaScript concepts, even going beyond the 33.

Leonardo Maldonado

9 Times the Web Platform Was Influenced by JavaScript Libraries - How various libraries like Lodash, Dojo and jQuery often did the "R&D work in production" for various features that eventually ended up in browser APIs.

Jad Joubran

Easy and Rapid Azure Migrations. Azure Copilot Migration Agent - Check out Microsoft's Introduction to Azure Copilot Agents free learning module to learn more and try it yourself.

Microsoft Azure Copilot Migration Agent sponsor

From React to Web Components: A Migration That Saved 100 KB - "How I migrated a site from React to native Web Components, why that worked better than I expected, and how the patterns I used along the way grew into a small library called nanotags."

Pavel Grinchenko (Evil Martians)

Why Migrate to Valibot? - Valibot is a light, modular TypeScript schema validation library and an alternative to the likes of Zod. v1.4.0 just dropped, too.

Fabian Hiller

📄 A Vanilla Routing Experiment - A look at the tripping points when building client-side routing for a small site without using a framework. Daniela Baron

📄 Preserving DOM Changes Across Live Reloads Kitty Giraudel

📄 I Keep Tripping Over true, false, true Matt Smith

📄 Stop Using Yarn Classic Nicolas Charpentier

📄 Introducing TanStack Form Adam Rackis

🛠 Code & Tools

zero-native: Build Desktop Apps with Zig + WebView - Vercel Labs' entry into the Neutralinojs/Electron/Tauri space for building native HTML+JS desktop apps atop a Zig core and the system WebView or Chromium. There are examples covering how to build vanilla, React, Svelte, and Vue apps on it. GitHub repo.

Vercel

That API Call Takes 3 Seconds. It's Not the Network - It's the analytics query behind it. TimescaleDB extends Postgres so queries stay fast at scale. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

Wakaru: Pull Apart Minified JavaScript Bundles - A tool you can feed minified bundled code and get readable modules back, whether for recovering code, reverse-engineering, or security auditing. You can try it online here.

Pionxzh

BlueJS: Compile JavaScript to Tiny Binaries - An ahead-of-time compiler for JavaScript with QuickJS optionally embedded for dynamic features and package support. While closed source, the raw numbers are compelling (~5ms startup; 3.8MB peak memory use, and a GUI app in a 1.2MB binary).

BlueJS

💡 PerryTS is another (open source) option in this space worth a look.

• pnpm 11.1 - Supports a new gh: prefix for GitHub Packages, pnpm bugs opens a package's bug tracker in the browser, and pnpm audit signatures verifies ECDSA registry signatures against keys.

• Astro 6.3 - Adds experimental support for advanced routing: control how requests flow through your app, with full support for frameworks like Hono.

• Syncpack 15.0 - Large JavaScript monorepo dependency version manager. Now with full support for pnpm and Bun catalogs.

• 📱 Expo SDK 56 Beta - The popular React Native framework gets a speed boost and the Jetpack Compose and SwiftUI APIs go stable.

• MDXEditor 4.0 - Powerful Markdown editor React component.

#​784 - May 5, 2026

Read on the Web

JavaScript Weekly

Remix 3 Enters Beta - It's No Longer a React Framework - Remix has quite the back story. Created by the duo behind React Router in 2020 and seen as an alternative to Next.js, Remix was acquired by Shopify in 2022 and its core ideas folded into React Router v7 in 2024. Now, a new direction: a full-stack, web standards-first framework with its own UI component model and… no React.

Michael Jackson (Remix)

Build AI Features That Get Better Over Time - Join Scott Moss for this detailed video course covering agentic systems, eval harnesses, RAG, and context engineering - everything you need to ship reliable, production-ready AI features.

Frontend Masters sponsor

Node.js 26.0.0 (Current) Released - A macOS build snafu pushed the release date out to today, but the latest version of Node is here, complete with Temporal API enabled by default, V8 14.6, and Undici 8. v26 is the 'current' cutting-edge release until October when it'll be promoted to LTS.

Rafael Gonzaga

IN BRIEF:

• Vitest is tightly coupled to Vite, but a maintainer has proposed making it "framework-agnostic" to support other build tools and runtimes.

• People on Hacker News got very excited to discuss an effort by Bun's Jarred Sumner to port Bun from Zig to Rust. Jarred turned up on the thread to cool things down. A Rust port is being attempted, but with no long-term intent to switch for now.

• The Svelte team has shared its latest monthly roundup, including the news that Svelte appears in ThoughtWorks' latest Technology Radar.

• Deno is getting experimental support for import defer (TC39 proposal) and may be the first runtime to support it.

RELEASES:

• PM2 7.0 - The Node.js process manager gets a refactor that slashes its dependency footprint, and extends cluster mode and the monitoring agent to Bun apps.

• Astro v7 Alpha - The web framework for content-driven websites teases its Vite 8-based, Rust compiler-driven version, alongside its v6.2 release.

• Electron 41.5 - The cross-platform desktop app framework adds support for Touch ID for WebAuthn on macOS.

• Ember 6.12 - The final 6.x release in preparation for Ember 7.0.

• ESLint 10.3, Zod 4.4, Babylon.js 9.5

📖 Articles and Videos

Testing Vue Components in the Browser - Julia sets up integration tests for her components that run entirely in the browser, sidestepping extraneous tooling, and shares issues she ran into around mounting components, waiting on the DOM, filling forms, and measuring coverage.

Julia Evans

Trustworthy JavaScript for the Open Web - Web Application Integrity, Consistency and Transparency (WAICT) is an emerging spec for cryptographically verifying that the JavaScript running in a user's browser matches what the site published (there's a full explainer here). A prototype is now live in Firefox Nightly.

The Firefox Security Team (Mozilla)

Breakpoints and console.log Is the Past, Time Travel Is the Future - 15x faster JavaScript debugging than with breakpoints and console.log, supports Vitest, Jest, Karma, Jasmine, and more.

Wallaby Team sponsor

📄 'I Got a $134 Cloudflare D1 Bill: Here's How I Cut It 95%' - Adventures in using SvelteKit on Cloudflare Workers with D1 (SQLite) and Drizzle ORM. Justin Ahinon

📄 'I Am Worried About Bun' - By a developer who's worried about the long term implications of Anthropic acquiring Bun. William Johnston

📄 Making Bluetooth Low Energy Work with JavaScript Ifedayo Agboola

🛠 Code & Tools

Anime.js 4.4: The Flexible JavaScript Animation Engine - At ten years old, the 'animate anything from JavaScript' library continues to get even better with a new scrambleText effect and auto-grid layout mode for stagger grids. The docs for Anime are truly top-tier and packed with examples.

Julian Garnier

Video Archiving with the Vonage Video API and React - Master four ways to record: capture audio-only, separate streams, or use Experience Composer for custom branded layouts.

Vonage sponsor

Formisch: A Modular, Type-Safe Form Library - A schema-based, headless form library for Preact, Qwik, React, SolidJS, Svelte and Vue that manages form state and validation (using Valibot). Try out some demos in the playground.

Open Circle

opentype.js: Read and Write OpenType Fonts - Get direct access to letterforms in the browser and Node.js. Has broad WOFF, OTF, and TTF support, and supports ligatures, kerning, and emojis. You can also create your own fonts from scratch. The new v1.3.5 release is a preview of the soon-to-land 2.0. GitHub repo.

Frederik De Bleser

View Transitions Mock: Non-Visual Polyfill for Same-Document View Transitions - A JS implementation of Same-Document View Transitions, without the visuals. Write one clean code path: supporting browsers get the transitions, non-supporting ones get an instant DOM swap, but the promises behave the same.

Google Chrome Labs

• 🎬 Mediabunny v1.42.0 - Read, write, and convert audio and video files in the browser. v1.42.0 notably adds HTTP Live Streaming (HLS) read/write support.

• pnpm v11.0.5 - The fast and efficient npm alternative has deployed many bugfixes since last week's big 11.0 release.

• Electrobun 1.18 - Build tiny cross-platform desktop apps atop Bun. (Changelog)

• useHotkeys 5.3 - React hook for using keyboard shortcuts in components.

• RxDB 17.2.0 - Fast, local-first, reactive database for JS apps.

📢 Elsewhere in the ecosystem

• How can you not love a project homepage where you're a cat in a convertible driving through an endless barrage of obstacles? Crashcat is a JavaScript 3D rigid body physics library built for games, simulations, and web experiences, complete with numerous fun examples.

• ✉️ Cloudflare has open sourced Agentic Inbox, a self-hosted React 19 and React Router 7-based web email app that ties together and heavily leans on numerous Cloudflare APIs.

• Ladybird is a "truly independent web browser" with its renderer and JS engine built entirely from scratch, with an alpha release due later this year. In the project's latest update they cover recent significant JS and CSS improvements.

• Tired of localhost:3000 on your projects? Vercel's Portless lets you run local dev servers using a more user-friendly .localhost hostname over HTTPS.

• Thales is a TypeScript to Lean compiler that type-checks a subset of TypeScript and emits a Lean sidecar, turning your code into a Lean module you can reason about.