It’s Time for npm to Make Install Scripts Opt-In — npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default and they’ve become too much of a security weakness says Jamie, who works for GitHub (which maintains npm). This RFC on npm’s RFCs repo features further discussion on this idea and the pros/cons of doing so.

Jamie Magee

How Depot Built a CI Orchestrator on AWS Lambda — Long-running CI orchestration without long-lived servers. Depot rebuilt their CI engine using AWS Lambda durable functions — stateful, callback-driven, and crash-recoverable. A deep dive into the run-workflow-job hierarchy powering Depot CI.

Depot sponsor

Mini Shai-Hulud Hits: 300+ Malicious npm Packages Published — The "Shai-Hulud" class of npm ecosystem attacks continues to rumble on. Today, hundreds more packages – including popular ones from the antv family and timeago.js – were hit.

SafeDep Team

🤖 Mark Erikson's Agent Setup, Workflow, and Tools — Mark, well known for maintaining Redux and creating Redux Toolkit, goes deep into his daily development workflow, including his use of OpenCode (an open source JavaScript-powered coding agent), how he manages his knowledge base, tasks, and more.

Mark Erikson

Clerk API Keys Are Now Generally Available — Let your users create credentials that delegate access to your API. Verify server-side, revoke instantly — all via the Backend SDK.

Clerk sponsor

📗 NodeBook: An Advanced Guide to Node.js Internals — Eight chapters of deep material if you want to understand Node.js deeply, covering topics like event loop internals, what V8 does, streams, module resolution, and async/await.

Ishtmeet Singh

Soon We Can Finally Banish JavaScript to the ShadowRealm — A tour of the in-progress TC39 proposal for running JavaScript in an isolated ‘pseudo-realm’ with its own globals and intrinsics. Handy for third-party code or anything you want to keep away from global scope.

Mat Marquis

Orval: Generate Type-Safe Clients from OpenAPI/Swagger Specs — Given a valid OpenAPI v3 or Swagger v2 spec, generate models, requests, hooks, and mocks for React, Vue, Svelte, Solid, and Hono apps, or even plain fetch.

Victor Bury

Brownies: Browser Storage as a Plain Object, With Change Events — One tiny API over cookies, localStorage, sessionStorage and IndexedDB. Typed values survive automatically, and you get subscribe() for change events.

Francisco Presencia

Querying a Billion Rows Shouldn't Freeze Your API — TimescaleDB extends Postgres so analytics queries stay fast at scale. No pipeline, no drift. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

🖼️ Pica 10.0: High Quality Image Resizing in the Browser — High quality in-browser image resizing that leans on WASM and Web Workers or falls back to pure JS as necessary. v10 is a modernization build (the first since 2021) that adds ESM and split builds and migrates to TypeScript. GitHub repo.

Vitaly Puzrin

🗓️ SVAR Calendar: A Calendar Component for React, Svelte and Vue — A flexible calendar component with a MIT-licensed core and extended commercial version. Here’s a live demo of the open source version.

XB Software Sp.

Fate 1.0: A Modern Data Framework for React — A new data framework from former Jest lead and ex-Meta engineer Christoph Nakazawa.

Christoph Nakazawa

Alien Signals: 'The Lightest Signal Library' — Boils the best of Vue, Preact and Svelte’s approaches down into the lightest signal library going. A push-pull reactivity core so well-tuned it got merged back into Vue.

Johnson Chu