TypeScript 7.0 is officially out — the full Go-port rewrite, 10x faster compilation, validated against real-world large codebases. If you've been waiting for a reason to care about compiler speeds, here it is.
The agent beat is packed this week. Oleg Luganskiy reviewed 35 active CLI coding agents so your stack decision doesn't have to be a coin flip. Matt Rickard shows how Cognition shards codebases MapReduce-style and uses Git itself as the inter-agent communication layer — boring infrastructure, genuinely clever coordination. Jesse Vincent argues that agents write better code when the engineer building their tooling is in the loop, not at arm's length.
Security corner delivered two memorable entries: Noma Security's GitLost shows how a public GitHub issue can become a prompt injection vector that extracts data from private repos — a live attack if your agents have repository access. Anthropic's GRAM isolates dual-use knowledge into dedicated model compartments that actively resist recovery attempts, which is a more honest containment story than post-training scrubbing. And npm v12 finally ships with lifecycle scripts off by default — a supply-chain vector that's been open since npm's early days is now closed.
Also notable: Bun rewrote its runtime from Zig to Rust with Anthropic's models — faster, smaller, safer, probably the most consequential AI-assisted migration shipped in public. ECMAScript 2026 officially adds Array.fromAsync and native Base64/Hex conversion, quietly retiring whole categories of utility imports. Ubuntu's team used TLA+ to track down a 16-year-old SQLite WAL corruption bug — formal verification making a strong practical case for itself. And Kapa AI pruned 68% of RAG context with a small LLM while keeping 96% recall — small models as intelligent pre-filters, not just cheaper completions.
On the tools side: Vite+ arrives in beta as an open-source MIT toolkit unifying Vite, Vitest, and Oxlint under a single vp command (originally planned as commercial — community pressure wins). Herdr gives agents SSH-reachable persistent terminal sessions that survive disconnects. OSV.dev pulls advisories from PyPA, GitHub, Go, Rust, and more into one open API for cross-ecosystem dependency scanning. And Postgres Is Enough catalogs 89 extensions mapping Postgres onto Redis, Kafka, and Elasticsearch use cases — the single-database argument finally has a proper directory.
Enjoy!
Signup here for the newsletter to get the weekly digest right into your inbox.
Find the 15 highlighted links of weeklyfoo #145:
Announcing TypeScript 7.0
by Microsoft
TypeScript 7.0's native Go port delivers up to 10x faster compilation, tested across large-scale real-world codebases
🚀 Read it!, typescript, performance
State of CLI Coding Agents, Mid-2026
by Oleg Luganskiy
A survey of 35 actively maintained terminal-based coding agents, with Claude Code, Codex CLI, and Omp leading on memory, editing precision, and orchestration
📰 Good to know, ai, agents, tooling
Rebuilding Cognition's Agentic MapReduce
by Matt Rickard
How Cognition scales agent tasks by sharding codebases, verifying vulnerabilities in parallel, and using Git itself for inter-agent communication and fault tolerance
📰 Good to know, ai, agents, engineering
Hunting a 16-Year-Old SQLite Bug With TLA+
by Alberto Carretero
Modeling SQLite's Write-Ahead Log behavior in TLA+ to check whether dqlite was exposed to a long-standing corruption bug — it wasn't, thanks to stricter locking
📰 Good to know, sqlite, engineering
How We Taught a Small LLM to Throw Away 68% of Our RAG Context
by Kapa AI
A small, cheap LLM learned to prune 68% of retrieved RAG context chunks while keeping 96% recall, cutting cost without sacrificing accuracy
📰 Good to know, ai, engineering
Some New Agentic Patterns
by Jesse Vincent
Letting an agent work directly with the engineer building its runloop and tooling produces higher-quality results than routing every change through a human intermediary
📰 Good to know, ai, agents, engineering
What's New in ECMAScript 2026
by Pawel Grzybek
The newly approved 876-page ECMAScript 2026 spec adds Array.fromAsync, native Uint8Array Base64/Hex conversion, and more — most already usable today in browsers and runtimes
📰 Good to know, javascript, ecmascript
Rewriting Bun in Rust
by Bun
Facing recurring use-after-free and double-free bugs from Zig's manual memory management, Bun's team used Anthropic's models to rewrite the runtime in Rust, ending up faster, smaller, and safer
📰 Good to know, rust, engineering, bun
An Off Switch for Dual-Use Knowledge in AI Models
by Anthropic
Anthropic's GRAM (Gradient-Routed Auxiliary Modules) isolates dual-use knowledge like cyber offense/defense into dedicated model compartments, resisting attempts to recover removed knowledge
📰 Good to know, ai, safety
GitLost: How We Tricked GitHub's AI Agent Into Leaking Private Repos
by Noma Security
An indirect prompt injection through public GitHub issues let attackers exploit GitHub's Agentic Workflows to extract data from private repositories
📰 Good to know, security, ai, agents
npm v12 Ships With Install Scripts Off by Default
by GitHub Blog
npm 12 is now GA with lifecycle scripts and implicit node-gyp builds no longer running by default, closing off a major supply-chain attack vector
📰 Good to know, npm, security, nodejs
Vite+ Beta
by VoidZero
The Vite team's unified toolchain brings Vite, Vitest, Oxlint, and more together under a single vp command — originally planned as commercial, now open sourced under MIT
🧰 Tools, vite, tooling, javascript
Herdr
by Herdr
A terminal-based multiplexer for running multiple coding agents in persistent sessions that survive disconnects and can be reached remotely over SSH
🧰 Tools, ai, agents, cli
OSV.dev
by OSV
An open, distributed vulnerability database that aggregates open-source security advisories for scanning dependencies via API, CLI, or GitHub integration
🧰 Tools, security, opensource
Postgres Is Enough
by Goodway
A directory of 89 extensions and tools that let Postgres stand in for Redis, Elasticsearch, Kafka, and other systems
🧰 Tools, postgres, database
Want to read more? Check out the full article here.
To sign up for the weekly newsletter, visit weeklyfoo.com.
Top comments (0)