Signup here for the newsletter to get the weekly digest right into your inbox.
weeklyfoo #140 is here: your weekly digest of all webdev news you need to know! This time you'll find 37 valuable links in 4 categories! Enjoy!
π Read it!
- How to Evaluate an npm Package: 2026 Edition: A practical checklist for vetting packages beyond star counts β provenance attestation, install scripts, CI quality, and maintainer responsiveness by Gabor Koos / npm, javascript, security / 17 min read
π° Good to know
- You Must Fix Your Asserts: Disabling assertions in production lets software run under false assumptions β keep them active to trigger panics on violation or use them as compiler optimization hints by Loris Cro / debugging, assertions, code-quality / 15 min read
- Build Agents, Not Pipelines: Pipelines use fixed logic for predictability at scale; agents manage their own control flow for complex reasoning β a practical guide to knowing which to reach for by Sean Goedecke / ai, agents, llm / 13 min read
- Figma Make, Now on Your Local Code: Designers can now edit directly in the production codebase from Figma β visual edits, annotations, and PR creation without context switching by Figma / figma, design, tools / 9 min read
- Your Process' Memory Is a File: Linux's /proc/pid/mem allows direct read and write access to a process's address space using standard file semantics by Michal Zalewski / linux, systems / 7 min read
- Websites Have a New Way to Spy on Visitors: Analyzing Their SSD Activity: The FROST method uses JavaScript to measure SSD timing patterns and infer which apps and tabs a visitor has open β a covert browser-based side-channel by Ars Technica / security, privacy, browser / 7 min read
- Dozens of Red Hat npm Packages Backdoored: Supply chain attack via the official npm channel β dozens of packages compromised through a hijacked publishing account by Ars Technica / security, npm, supply-chain / 7 min read
- Why Does tsgo Use So Much Memory?: A deep dive into the Go-powered TypeScript 7 compiler and why it can chew through gigabytes on large projects by Zack Radisic / typescript, performance, compilers / 12 min read
- 1-Click GitHub Token Stealing via a VSCode Bug: A vulnerability in VSCode's webview security model lets attackers steal GitHub tokens through a single malicious link by bubbling keyboard events from isolated iframes by Ammar Askar / security, vscode, github / 14 min read
- Chrome DevTools MCP Server Stable in Chrome 149: The MCP server and CLI for Chrome DevTools letting AI coding agents drive debugging and perf audits is now officially stable by Chrome for Developers / chrome, devtools, mcp, ai / 10 min read
- HTML-in-Canvas API Origin Trial: Draw live interactive HTML and CSS into a canvas element β combining DOM accessibility and text layout with performant low-level graphics by Chrome for Developers / html, canvas, chrome, frontend / 8 min read
- Frontend's Missing Metric: The TBT Window: A case for tracking the FCP-to-TTI interval where TBT is counted β TBT can silently regress with no real change in blocking work as FCP or TTI shift by Harry Roberts / performance, css, web-vitals / 19 min read
- Handling Graphs with SQL/PGQ in Postgres 19: Postgres 19 adds SQL/PGQ support β declare a property graph over tables and pattern-match with Cypher-like MATCH queries, all rewritten to relational queries by the planner by Hans-JΓΌrgen SchΓΆnig / postgres, graphs, sql / 1 min read
- The Night Our Tables Wouldn't Stop Growing: A production incident where a stray statement_timeout quietly broke logical replication and caused tables to balloon overnight by Semab Tariq / postgres, production, incident / 11 min read
- VoidZero Joins Cloudflare: The company behind Vite, Vitest, Rolldown, and Oxc is joining Cloudflare β the JS toolchain stack with the most momentum just found a new home by Cloudflare / javascript, vite, tooling / 13 min read
- Every Byte Matters: Packing data into Struct-of-Arrays instead of Array-of-Structs aligns access with cache lines β the technique can yield up to 30x performance improvements on sequential workloads by Fathi Zakaria / performance, engineering, systems / 6 min read
- How We Contain Claude Across Products: Anthropic's multi-layered containment approach β sandboxes, VMs, strict egress controls, and model training β limits agent blast radius more reliably than human supervision alone by Anthropic / ai, security, engineering / 24 min read
π§° Tools
- Website Spec: A platform-agnostic specification of the technical features every decent website should have. by Joost de Valk / spec, web, seo, a11y
- Sandcastle: Provider-agnostic TypeScript library for running AI coding agents in isolated sandboxes β Docker, Podman, or Vercel by Matt Pocock / ai, typescript, agents
- Flowsint: Open-source graph-based OSINT tool that maps relationships between domains, IP addresses, and social media profiles by reconurge / security, osint, tools
- Hocuspocus 4: Plug-and-play real-time collaboration backend based on Yjs β runs on Node, Bun, Deno, or Cloudflare Workers by Tiptap / collaboration, yjs, real-time
- React Native Runtimes: Run React Native components and functions across multiple JS threads to prevent main UI lag β offload heavy work like chat screens and large lists to dedicated secondary runtimes by Margelo / react-native, javascript, performance
- Paseo: Self-hosted, privacy-focused platform for orchestrating and running multiple AI coding agents across mobile, desktop, and CLI environments by getpaseo / ai, agents, tools
- HueGrid: Generate gradients across 22+ modes including mesh blending, noise-based organics, aurora effects, and particle fields by HueGrid / design, gradients, tools
- Letterbox: Pick a font, choose your colors, and watch letters shaped by text come alive β a typographic playground by Letterbox / typography, design, fun
- Liquid DOM: DOM-based implementation of Apple's liquid glass effect using HTML-in-Canvas and WebGPU by AndrewPrifer / css, webgpu, frontend, demo
- Curlwind: No-build Tailwind utility generator β drop in a CDN URL with query params specifying only the classes you need, any variants, and custom prefixes by Steve Bauman / tailwind, css, tools
- Code Wiki: Gemini-generated repo documentation that stays up-to-date β generates natural language summaries and architecture diagrams for any repository by Google for Developers / ai, documentation, tools
- DeltaX: Columnar storage extension for time-series data in Postgres β uses regular tables so replication, backups, and pg_dump work as usual by Xata / postgres, time-series, extensions
- replacements.fyi: Type in an npm package name and get lighter alternatives or Node.js built-in equivalents β is-number becomes a one-liner, axios becomes fetch, chalk becomes util.styleText by e18e / npm, javascript, tools
- Mnemo: Local-first AI memory layer that stores persistent knowledge in a SQLite knowledge graph and injects relevant context into LLM sessions automatically by zaydmulani09 / ai, memory, tools
- Open Code Review: AI-powered code review CLI that reads git diffs, sends files to a configurable LLM via an agent with tool-use capabilities, and generates structured review comments with line-level precision by Alibaba / ai, code-review, cli
- Boxes: Cloud workbench for running multiple AI coding agents in parallel within isolated, persistent virtual machines β monitor and manage from any device by Boxes / ai, agents, tools
- The Auth Book: Free comprehensive guide to authentication β sessions, passkeys, OAuth, and CSRF prevention for developers who want to understand the fundamentals by Pilcrow / auth, security, web
πΊ Videos
- Stop Using :invalid and :valid β Use This Instead: A 3-minute CSS tip on a better approach to inline form validation using CSS without JavaScript hacks by Zoran Jambor / css, forms, frontend
- Postgres at 30 β A Chat with Its Creator: Mike Stonebraker covers how Postgres came to be, where Google and Amazon get databases wrong, and what he's building next by The Peterman Pod / postgres, interview, databases
- All 17 TanStack Projects in One App: 14-minute tour of the entire TanStack ecosystem β Start, Router, Form, Query, and more all demonstrated in a single application by Jack Herrington / javascript, tanstack, react
Want to read more? Check out the full article here.
To sign up for the weekly newsletter, visit weeklyfoo.com.
Top comments (0)