Red Hat's npm channel got backdoored — yes, the official one — so if your dependency hygiene was already anxious, Gabor Koos has the 2026 vetting checklist to restore some confidence. Meanwhile, Ammar Askar shows that a single malicious link can steal your GitHub token through a VSCode webview bug, which is the kind of vulnerability that makes you want to audit every extension you've ever installed.
On the more uplifting side: VoidZero joins Cloudflare, bringing the whole Vite, Vitest, Rolldown, and Oxc ecosystem under one very well-funded roof. Postgres 19 adds SQL/PGQ support so you can finally run Cypher-style graph queries without reaching for a separate datastore. And Anthropic pulls back the curtain on how they keep Claude contained across products — sandboxes, VMs, strict egress controls, and model training working together, because hope is not a containment strategy.
Also in this issue: Loris Cro makes the compelling case for keeping assertions alive in production (your panics are actually your friends), Harry Roberts introduces the TBT Window — the performance metric hiding in plain sight between FCP and TTI, Matt Pocock ships Sandcastle for running AI agents in provider-agnostic isolated sandboxes, and Google's Code Wiki auto-generates architecture docs that actually stay current. replacements.fyi helps you swap bloated npm packages for leaner alternatives or Node.js built-ins, Xata's DeltaX brings columnar time-series performance inside regular Postgres tables, and Alibaba's Open Code Review adds AI-powered diff analysis with line-level precision to your CLI workflow.
Enjoy!
Signup here for the newsletter to get the weekly digest right into your inbox.
Find the 13 highlighted links of weeklyfoo #140:
How to Evaluate an npm Package: 2026 Edition
by Gabor Koos
A practical checklist for vetting packages beyond star counts — provenance attestation, install scripts, CI quality, and maintainer responsiveness
🚀 Read it!, npm, javascript, security
You Must Fix Your Asserts
by Loris Cro
Disabling assertions in production lets software run under false assumptions — keep them active to trigger panics on violation or use them as compiler optimization hints
📰 Good to know, debugging, assertions, code-quality
Dozens of Red Hat npm Packages Backdoored
by Ars Technica
Supply chain attack via the official npm channel — dozens of packages compromised through a hijacked publishing account
📰 Good to know, security, npm, supply-chain
1-Click GitHub Token Stealing via a VSCode Bug
by Ammar Askar
A vulnerability in VSCode's webview security model lets attackers steal GitHub tokens through a single malicious link by bubbling keyboard events from isolated iframes
📰 Good to know, security, vscode, github
Frontend's Missing Metric: The TBT Window
by Harry Roberts
A case for tracking the FCP-to-TTI interval where TBT is counted — TBT can silently regress with no real change in blocking work as FCP or TTI shift
📰 Good to know, performance, css, web-vitals
Handling Graphs with SQL/PGQ in Postgres 19
by Hans-Jürgen Schönig
Postgres 19 adds SQL/PGQ support — declare a property graph over tables and pattern-match with Cypher-like MATCH queries, all rewritten to relational queries by the planner
📰 Good to know, postgres, graphs, sql
VoidZero Joins Cloudflare
by Cloudflare
The company behind Vite, Vitest, Rolldown, and Oxc is joining Cloudflare — the JS toolchain stack with the most momentum just found a new home
📰 Good to know, javascript, vite, tooling
How We Contain Claude Across Products
by Anthropic
Anthropic's multi-layered containment approach — sandboxes, VMs, strict egress controls, and model training — limits agent blast radius more reliably than human supervision alone
📰 Good to know, ai, security, engineering
Sandcastle
by Matt Pocock
Provider-agnostic TypeScript library for running AI coding agents in isolated sandboxes — Docker, Podman, or Vercel
🧰 Tools, ai, typescript, agents
Code Wiki
by Google for Developers
Gemini-generated repo documentation that stays up-to-date — generates natural language summaries and architecture diagrams for any repository
🧰 Tools, ai, documentation, tools
DeltaX
by Xata
Columnar storage extension for time-series data in Postgres — uses regular tables so replication, backups, and pg_dump work as usual
🧰 Tools, postgres, time-series, extensions
replacements.fyi
by e18e
Type in an npm package name and get lighter alternatives or Node.js built-in equivalents — is-number becomes a one-liner, axios becomes fetch, chalk becomes util.styleText
🧰 Tools, npm, javascript, tools
Open Code Review
by Alibaba
AI-powered code review CLI that reads git diffs, sends files to a configurable LLM via an agent with tool-use capabilities, and generates structured review comments with line-level precision
🧰 Tools, ai, code-review, cli
Want to read more? Check out the full article here.
To sign up for the weekly newsletter, visit weeklyfoo.com.
Top comments (0)