This week opens with a full-on supply-chain thriller: Ars Technica details TeamPCP poisoning hundreds of open-source packages, and GitHub’s npm update lands at exactly the right moment with staged publishing and tighter install-time controls.
Performance nerds are eating well: Yelp’s Rspack migration cut build times hard, Linear’s architecture teardown shows what “feels instant” really costs in engineering effort, and RuneScape on 56K proves constraints still produce timeless ideas.
On the AI/dev workflow front, Builder.io calls out the “AI PR slop” tax, while Anthropic and Stripe’s talk show where serious agent orchestration is heading. Add in FLUE, Skybridge, and Kysely 0.29, and the tooling layer is moving almost as fast as the model layer.
Also worth pinning to your “save me later” list: Node stream leak failure modes, the sneaky PostgreSQL now() transaction-time trap, Deno 2.8, and a quietly important accessibility reminder from Manuel Matuzovic: don’t put aria-label on generic div/span elements unless you enjoy unpredictable screen-reader behavior.
Enjoy!
Signup here for the newsletter to get the weekly digest right into your inbox.
Find the 15 highlighted links of weeklyfoo #139:
How Soon is now() in PostgreSQL
by Oskar Dudycz
now() isn't the current time but when the transaction started, which matters when a retry loop sees the same frozen timestamp and never makes progress
🚀 Read it!, postgres, sql, engineering
A hacker group is poisoning open source code at an unprecedented scale
by Ars Technica
TeamPCP has corrupted hundreds of open source tools in supply chain attacks even breaching GitHub via a poisoned VSCode extension
📰 Good to know, security, open-source
Staged Publishing and New Install Controls for npm
by GitHub
npm and pnpm now support a review period before packages go live on the registry, with new options to control package sourcing
📰 Good to know, npm, javascript, security
Optimizing Build Times by Migrating from Webpack to Rspack
by Benson Pan
How Yelp cut build times in half with the Rust-powered webpack drop-in and what they learned about barrel files
📰 Good to know, performance, javascript, build
Don't Put aria-label on Generic Elements like Divs
by Manuel Matuzovic
Why slapping aria-label on a plain div or span is a spec violation and how screen readers across browsers show wildly inconsistent results
📰 Good to know, accessibility, html, a11y
The Production Playbook for Node.js Stream Leaks
by Durgesh Pawar
Five failure modes for Node streams that sail past tests and code review then break under real traffic, from unnoticed disconnects to leftover upstream fetches
📰 Good to know, nodejs, performance, engineering
How Linear is So Fast: A Technical Breakdown
by performance.dev
A teardown of Linear's local-first architecture, aggressive code splitting, granular observables, and GPU-accelerated animations
📰 Good to know, performance, engineering, frontend
How 2004 RuneScape Fit a Multiplayer RPG into 56K Dial-Up
by jkm.dev
A deep dive into the custom bit-packing protocol that kept a massive MMO playable on dial-up using shared world state
📰 Good to know, performance, engineering, history
I Didn't Become a Developer to Review AI Slop
by builder.io
AI made it cheap to open pull requests but not trustworthy, burying developers in mystery diffs that look clean on the surface but hide bugs and debt
📰 Good to know, ai, engineering, review
Introducing Dynamic Workflows in Claude Code
by Anthropic
Claude can now write orchestration scripts that spin up hundreds of parallel subagents for complex end-to-end tasks, in research preview for Max and Enterprise plans
📰 Good to know, ai, agents, engineering
by Deno
Biggest minor release yet with improved Node.js compatibility, native package manager improvements, and new runtime features
🧰 Tools, deno, javascript, runtime
by Fred K. Schott
A TypeScript agent harness framework from the Astro team, akin to Claude Code with tasks, sandboxing and agent skills but entirely headless and programmable
🧰 Tools, ai, agents, typescript
by Kysely
Type-safe TypeScript SQL query builder adds compile-time table scoping, read-only access enforcement at the type level, and AbortSignal query cancellation
🧰 Tools, typescript, sql, tools
by Alpic AI
Full-stack React framework for type-safe MCP applications and servers, with hot module reloading and a local emulator for AI environments like Claude and ChatGPT
🧰 Tools, mcp, react, ai
Gents in the Monorepo: How Stripe Uses LLM Coding Agents
by Chris Ruiz
Chris Ruiz from Stripe walks through agent strategies in production, from autonomous minions producing PRs from Slack to Claude Code-based agents executing multi-step migrations
📺 Videos, ai, agents, monorepo
Want to read more? Check out the full article here.
To sign up for the weekly newsletter, visit weeklyfoo.com.
Top comments (0)