axios Got Poisoned, TypeScript 6 Lands, and JavaScript Finally Handles Dates Like an Adult
Published on 04.04.2026
axios Compromised on npm: Malicious Versions Drop a Remote Access Trojan
TLDR: Two malicious versions of axios were published to npm on March 30, 2026. If you installed [email protected] or [email protected], assume your system is compromised and act accordingly.
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
Announcing TypeScript 6.0
TLDR: TypeScript 6.0 is out and it is explicitly a bridge release, cleaning house on decades of legacy options so TypeScript 7.0 (rewritten in Go with parallel type checking) can land cleanly. The deprecation list is long and will break things.
Temporal: The 9-Year Journey to Fix Time in JavaScript
TLDR: The Temporal proposal has reached Stage 4 after nine years of work across multiple companies and browser engines. JavaScript finally has a modern datetime API that handles time zones, calendars, immutability, and daylight saving transitions correctly.
Temporal: The 9-Year Journey to Fix Time in JavaScript
Vite 8.0 Is Out
TLDR: Vite 8 ships Rolldown as its single unified Rust-based bundler, replacing the esbuild-for-dev, Rollup-for-production split that powered Vite since the beginning. Real-world build times are dropping 30-64% at companies that have already migrated.
Comprehension Debt: The Hidden Cost of AI-Generated Code
TLDR: AI coding tools are creating a new kind of technical debt: comprehension debt. The codebase grows faster than human understanding of it, creating false confidence that eventually collapses under unexpected pressure.
Comprehension Debt - the hidden cost of AI generated code
The Great CSS Expansion
TLDR: A wave of CSS features is landing that explicitly replaces JavaScript-heavy UI patterns. Anchor Positioning, Popover API, native dialog, Scroll-Driven Animations, and View Transitions together eliminate roughly 322kB of JavaScript libraries from a typical modern SPA.
The Three Pillars of JavaScript Bloat
TLDR: npm dependency trees are full of redundant packages for three specific reasons: support for ancient engines, atomic micro-package philosophy, and ponyfills that outlived their purpose. Understanding why they exist is the first step to removing them.
The Three Pillars of JavaScript Bloat
The 49MB Web Page
TLDR: A New York Times article load generates 422 network requests and 49MB of data. This piece tears apart the architecture behind that number: programmatic ad auctions running in the browser, surveillance beacons firing constantly, and deliberate UX hostility engineered to maximize time-on-page metrics.
Form-Associated Custom Elements in Practice
TLDR: If you are building web components that wrap form controls, they will not appear in FormData, respect form.reset(), or respond to fieldset disabled unless you implement the Form-Associated Custom Element API. This piece explains how to actually do that.
Form-Associated Custom Elements in Practice
The Big Gotcha of Anchor Positioning
TLDR: CSS Anchor Positioning does not work regardless of DOM position, despite what the marketing says. The anchor element must be fully laid out before the anchored element, and they need to be in the same containing block or have the anchor positioned statically. This breaks when you do sensible DOM things.
The Big Gotcha of Anchor Positioning
When Deno or Bun Is a Better Solution than Node.js
TLDR: A freelance developer who ships production code across all three runtimes explains when each one is actually the right choice: Deno for security requirements and self-contained distribution, Bun for iteration speed, Node.js when hiring speed and ecosystem depth matter more than anything else.
When Deno or Bun is a Better Solution than Node.js
No AI in Node.js Core: A Petition
TLDR: A petition signed by hundreds of Node.js contributors asks the Technical Steering Committee to reject AI-generated pull requests to Node.js core, following a 19,000-line PR generated with Claude Code by a long-time contributor.
NoJS 3: Making Flappy Bird with Pure HTML and CSS
TLDR: Someone built a fully playable Flappy Bird clone using only HTML and CSS, no JavaScript, by exploiting animated custom properties, radio button state, the :has() selector, and CSS collision detection math. It is absolutely wild.