Frontend Masters May 2026: Supply Chain Worms, TypeScript in Go, and the End of sizes
Published on 02.05.2026
SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack
TLDR: A new variant called Mini Shai-Hulud poisoned several SAP cloud-application-development packages with a preinstall script that downloads Bun, runs a credential stealer, and exfiltrates encrypted secrets to GitHub. It also writes Claude Code and VS Code config files so opening the repo triggers the malware again.
SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack
Introducing Claude Opus 4.7
TLDR: Anthropic shipped Opus 4.7 with material gains in long-running agentic coding, better instruction following, higher-resolution vision, and a new xhigh effort tier. Pricing matches Opus 4.6, but token usage is up because the tokenizer changed and the model thinks more at high effort.
Announcing TypeScript 7.0 Beta
TLDR: TypeScript 7.0 is the Go port, and it is roughly ten times faster than 6.0. The type-checking semantics are identical, the new tsgo binary is ready for daily work, and a parallel compatibility package keeps 6.0 working alongside it.
Announcing TypeScript 7.0 Beta
pnpm 11.0
TLDR: pnpm 11 hardens the security defaults from the v10 cycle, drops the npm CLI fallback for a native publish flow, replaces the JSON-per-package store with SQLite, and isolates global installs. Node 22 is the floor, and pnpm itself is now pure ESM.
Highlights from Git 2.54
TLDR: Git 2.54 introduces git history for simple reword and split operations without an interactive rebase, config-based hooks that work across repos, and geometric repacking as the default maintenance strategy.
Announcing Rspack 2.0
TLDR: Rspack 2.0 ships a roughly 10 percent build-time improvement over 1.7 and 100 percent over 1.0, drops most default dependencies, adds React Server Components support, and starts moving defaults toward modern JavaScript rather than webpack 5 parity.
The end of responsive images
TLDR: sizes auto plus loading lazy, now supported across all major browsers, lets you stop hand-writing sizes attributes for almost every image on a page. The browser determines the rendered size at lazy-load time and picks the right candidate from srcset.
What's actually new in JavaScript and what's coming next
TLDR: ES2025 shipped iterator helpers, Set methods, JSON modules, Promise.try, and RegExp.escape. ES2026 brings Math.sumPrecise, Uint8Array base64 and hex, Error.isError, Map.getOrInsert, and JSON.parse with source. Temporal, using, and import defer are mature in engines but slated for ES2027.
What's actually new in JavaScript and what's coming next
Agentic Engine Optimization
TLDR: AI coding agents read your docs differently than humans, in one or two HTTP requests, ignoring all client-side analytics, with hard token-budget limits. The discipline of structuring docs for agents, llms.txt, AGENTS.md, skill.md, robots.txt, token surfacing, parallels SEO and matters now.
Under the hood of MDN's new frontend
TLDR: MDN replaced its Create React App-derived SPA with a server-rendered Lit web component architecture, shipped per-component CSS and JavaScript that loads only when needed, and got the local dev environment from two minutes to two seconds.
Under the hood of MDN's new frontend
font-family Doesn't Fall Back the Way You Think
TLDR: When you declare font-family on a child element, fallback resolution is local to that declaration, not inherited from the parent. So a heading with font-family Open Sans and no fallback will flash to Times, not the system-ui sans-serif you thought you set on body.
font-family Doesn't Fall Back the Way You Think
AI-Generated UI Is Inaccessible by Default
TLDR: General-purpose AI tools generate visually correct UI with near-zero accessibility tree information. The fix is a five-layer enforcement system, prompt constraints, ESLint jsx-a11y, axe-core in tests, axe in CI, and accessible component primitives like Radix or Headless UI.
AI-Generated UI Is Inaccessible by Default
AI Amplifies Everything: A Team Lead's Guide to AI-Assisted Development
TLDR: AI is a multiplier on whatever your team already does. Strong review, conventions, and testing become dramatically more powerful. Weak processes become disasters. The real cost is in operational debt, the gap between what the system does and what your team understands.
AI Amplifies Everything: A Team Lead's Guide to AI-Assisted Development
Constructable Stylesheets and adoptedStyleSheets
TLDR: Constructable Stylesheets are CSSStyleSheet objects you create in JavaScript and attach to shadow roots or the document via adoptedStyleSheets. The browser parses the sheet once, then shares it across every adopter. Lit handles the lifecycle for you via static styles.
Constructable Stylesheets and adoptedStyleSheets: One Parse, Every Shadow Root
Building a UI Without Breakpoints
TLDR: Modern CSS gives you intrinsic layouts, fluid values via clamp, container units, and container queries. Together they cover most of what viewport breakpoints used to do, with less code, fewer regressions, and components that adapt to where they actually render.