Socket kicks off the week with a real supply-chain gut punch: 84 TanStack npm packages compromised, 12M+ weekly downloads exposed, and yet another reminder that dependency trust is not a passive activity. On the AI engineering side, LangChain, Martin Fowler, and Eugene Yan all point in the same direction: the model is only half the story — harness design, team rituals, and reusable context are what make AI systems actually useful.
manager.dev brings timeless incident wisdom (rollback first, debug second), while Jake Handy names the modern management headache: massive AI-generated PRs with suspiciously low ownership. Wasp adds a candid founder postmortem — five years and five million dollars later, inventing a new web language turned out to be the expensive scenic route.
Tool radar is packed: e2a secures agent email handoffs, Wakaru makes minified JavaScript readable again for audits, Syncpack 15.0 helps monorepos stop version drift before it becomes a lifestyle, and the TanStack Start vs Next.js interview is worth a watch if you like your framework debates with business context instead of tribal shouting.
Enjoy!
Signup here for the newsletter to get the weekly digest right into your inbox.
Find the 10 highlighted links of weeklyfoo #137:
TanStack npm Packages Compromised in Ongoing Supply-Chain Attack
by Socket
84 TanStack packages with over 12M weekly downloads hit in a supply-chain attack — deprecated versions pulled, GitHub Actions hardened with repo-owner guards and pinned action refs
🚀 Read it!, security, javascript, npm
The Anatomy of an Agent Harness
by LangChain
An AI agent is the functional combination of a core LLM and a surrounding harness — code, config, and logic for durable state, sandboxed execution, context compaction, and verification loops
📰 Good to know, ai, engineering
The Unwritten Laws of Software Engineering
by manager.dev
When production fails, roll back before debugging — and treat all untested recovery plans as fictional. Hard-won rules about dependencies, four-eyes checks, and why temporary fixes become permanent
📰 Good to know, engineering
The Slop Cannons In Your Engineering Org
by Jake Handy
A field guide to the engineer shipping huge AI-generated PRs they can't explain — confusing velocity for progress — with a manager's checklist for spotting and fixing the pattern
📰 Good to know, ai, engineering, management
5 Years and $5M Later: Inventing a New Language for Web Dev Was a Mistake
by Wasp
The Wasp co-founder reflects on why building a custom programming language for web development was a mistake — too much friction with developer adoption and high IDE tooling maintenance costs — now transitioning to a TypeScript-based SDK
📰 Good to know, engineering, opinion
How To Work and Compound With AI
by Eugene Yan
Every finished artifact — code, docs, analysis, decisions — becomes context for the next AI session and each correction updates a config that reduces future errors — a practical guide to making AI work compound over time
📰 Good to know, ai, productivity
by Mnexa-AI
Authenticated email gateway for AI agents with SPF/DKIM verification and HMAC signatures — lets agents communicate with humans via cloud webhooks or WebSocket without needing public URLs
🧰 Tools, ai, tools
by Pionxzh
Feed it minified bundled JavaScript and get readable source modules back — useful for code recovery, reverse-engineering, and security auditing, with an online playground
🧰 Tools, javascript, security, tools
by Jamie Mason
CLI tool used by Electron, Cloudflare, and Vercel that finds and fixes dependency version mismatches across entire monorepos and enforces version policies — v15.0 adds pnpm and Bun catalog support and a default release age cooldown
🧰 Tools, javascript, monorepo, tools
TanStack Start vs Next.js with Tanner Linsley
by Nuno Maduro
A candid interview covering TanStack's business model, why Start exists alongside Next.js, and framework-agnostic thinking while still deeply focusing on React
📺 Videos, javascript, react
Want to read more? Check out the full article here.
To sign up for the weekly newsletter, visit weeklyfoo.com.
Top comments (0)