The JavaScript ecosystem never slows down. Every week brings new tools, framework updates, performance benchmarks, and occasionally discoveries that reshape how we think about existing platforms.
Subscribe to JavaScript Friday Links
This week’s highlights cover a broad spectrum of topics. The release of Solid 2.0 Beta introduces a redesigned async model that simplifies reactive workflows. New benchmarking data compares modern JavaScript minifiers and shows how tools like SWC, Oxc, and Minify are redefining build performance. At the same time, researchers used AI-assisted analysis to uncover multiple previously undiscovered vulnerabilities in Firefox — demonstrating how machine learning is increasingly being used to audit complex codebases.
In this week’s Friday Links, we’ve collected the most interesting stories, tools, and discussions worth your attention.
🧠 Ecosystem Highlights
TypeScript 6 Prepares the Path to TS7
The TypeScript team released an early preview of TypeScript 6.
This release is mainly about internal changes preparing for the future Go-based compiler planned for TypeScript 7.
Key goals:
- faster compilation
- reduced memory usage
- better incremental builds
- improved large project performance
Large monorepos could see dramatic speed improvements once the Go compiler lands.
Deno 2.7 Improves Node Compatibility
The latest Deno runtime release continues improving Node compatibility.
Highlights:
- improved npm integration
- Node API compatibility
- Temporal API stabilization
Example:
const now = Temporal.Now.instant()
console.log(now.toString())
📜 Articles & Tutorials
Under the hood: Security architecture of GitHub Agentic Workflows
Beating JavaScript Performance Limits With Rust and N-API: Building a Faster Image Diff Tool
The Different Ways to Select <html> in CSS
The Big Gotcha of Anchor Positioning
Valibot vs Zod: A Lightweight Validation Alternative
How to steal npm publish tokens by opening GitHub issues
How to Decode a VIN in JavaScript
Why Blindly Using JSON.parse() Can Be Dangerous
Making a Flappy Bird clone using pure HTML and CSS, no JavaScript
How to build a pnpm monorepo, the right way
React is changing the game for streaming apps with the Activity component
Using CSS animations as state machines to remember focus and hover states with CSS only
5 React Hooks Techniques to Improve Component Performance
Tailwind CSS v4 vs MUI, Ant Design & Styled Components
Designing an Efficient LRU Cache Step by Step
Howto Deploy OpenClaw and Build Your Personal AI Second Brain
⚒️ Tools
Repomix — Turn Any Repo Into a Single AI-Readable File
Repomix packs an entire repository into a single AI-friendly document.
Cursor Cloud Telegram Connector
npmx is an experimental tool designed to improve npm package exploration.
Wely — Lightweight Web Component Framework
Ink allows developers to build CLI tools using React components.
📚 Libs
Node File Trace - determines exactly which files a Node application needs to run.
JavaScript Minification Benchmarks: SWC Still Leads
RevoGrid - High-Performance Data Grid Component
VMPrint - A pure-JS, tiny typesetting engine with bit-perfect PDF output on everything—from Cloudflare Workers to the browser.
markdown-to-jsx - A very fast and versatile markdown toolchain. Output to AST, React, React Native, SolidJS, Vue, HTML, and more!
clipboardy - Access the system clipboard (copy/paste)
⌚ Releases
Solid v2.0.0 Beta: The <Suspense> Era Comes to an End
After a long experimental phase, Solid 2.0 has released its first beta, introducing native asynchronous reactivity as a core feature of the framework.
In this new model, reactive computations can directly return Promises or async iterables, and Solid’s reactive graph will automatically suspend and resume around those async operations. This removes much of the complexity developers previously had to manage when dealing with asynchronous state.
One notable change is that <Suspense> has been retired. For initial renders, it is now replaced by a simpler component called <Loading>.
React Native 0.85 RC.0, pnpm 10.32, Jest 30.3, Recharts 3.8,
OpenPlayer.js 3.0.2, Prisma 7.5, SQLite JS 1.3, React Helmet Async 3.0, Preact 10.29.0
📺 Videos
Build Your Own Video Sharing App – Loom Clone with Next.js and Mux JavaScript Tutorial
You Can Just Ship Agents: Architecting for the Agentic Era | Dom Sipowicz, Vercel
Build Your Own Video Sharing App – Loom Clone with Next.js and Mux JavaScript Tutorial
Cloudflare just slop forked Next.js…
7 new open source AI tools you need right now…
NEW Tanstack Hotkeys Library is Amazing
🎤 Talks & Podcasts
Why are we building CodePen v2? — CodePen Radio 419
🗞️ News & Updates
The web industry is gradually shortening the maximum lifespan of TLS certificates.
Starting March 15, 2026, the limit will drop from 398 days to 200 days. The timeline continues with further reductions: 100 days in 2027, and by 2029 the maximum validity period will shrink to just 47 days.
Because of these changes, Heroku recommends enabling automatic certificate renewal to avoid unexpected expirations and potential service disruptions.
🔐 Security
Supply-Chain Attacks Target Developers
Researchers recently discovered malicious GitHub repositories disguised as job assignments.
When opened in VS Code they may execute scripts automatically.
Developers should always review:
.vscode/tasks.json
.vscode/settings.json
package.json
vm2 Sandbox Escape Vulnerability
A critical vulnerability was discovered in vm2, a sandbox library used for executing untrusted JavaScript.
This vulnerability allows escaping the sandbox and executing arbitrary code.
Researchers at Brave discovered that web agents often leak user information — even when explicitly instructed not to.
In a study involving 1,080 runs on Amazon and eBay, agents powered by GPT-4o, O3, and O4-mini repeatedly exposed data to third-party services that had nothing to do with the task they were performing.
Examples included:
- inserting conversation history into search fields
- revealing personal details through interaction patterns
- unintentionally sending contextual data to external services
The findings highlight a growing concern: AI web agents may unintentionally expose sensitive user information through their behavior, even when privacy safeguards are in place.
The Anthropic team recently analyzed the Firefox codebase using Claude and uncovered 14 critical vulnerabilities that had gone unnoticed for years.
In total, the investigation led to the discovery of 22 security issues, all of which were assigned CVE identifiers and addressed in Firefox 148.
Some of these vulnerabilities had reportedly been present in the codebase for over a decade, highlighting how AI-assisted analysis can help uncover deeply hidden security flaws in large, mature software projects.
How we got hit by Shai-Hulud: A complete post-mortem
That’s all for this week’s JavaScript roundup.
The ecosystem continues to evolve rapidly, and keeping track of new tools, releases, and discoveries can be challenging. Weekly collections like Friday Links aim to surface the most meaningful updates so developers can stay informed without being overwhelmed.
If you came across an interesting library, experiment, or article this week, consider sharing it — the next edition might include it.
Top comments (0)