weeklyfoo #104

weeklyfoo #104 is here: your weekly digest of all webdev news you need to know! This time you’ll find 34 valuable links in 3 categories! Enjoy!

🚀 Read it!

• NPM Security Best Practices: How to stay safe from NPM supply chain attacks by boda / security, npm / 18 min read

📰 Good to know

• If you are good at code review, you will be good at using AI agents: Using AI agents correctly is a process of reviewing code. If you’re good at reviewing code, you’ll be good at using tools like Claude Code, Codex, or the Copilot coding agent. by Sean Goedecke / ai / 8 min read
• Dev Culture Is Dying The Curious Developer Is Gone: From tinkerers to metric seekers: How the shift in developer culture is impacting innovation and creativity. by Dayvi Schuster / engineering / 15 min read
• Why Local-First Apps Haven’t Become Popular?: Offline-first apps promise instant loading and privacy, but in practice, very few apps get offline support because getting sync right is surprisingly hard. by Marco Bambini / local-first / 6 min read
• Things I Believe: Ten topics. by Lee Robinson / engineering, growth / 3 min read
• Cap’n Web: A new RPC system for browsers and web servers by Kenton Varda, Steve Faulkner / javascript, rpc / 22 min read
• Getting AI to Work in Complex Codebases: It seems pretty well-accepted that AI coding tools struggle with real production codebases. by Dex / ai, engineering / 3 min read
• MESH: I tried HTMX, then ditched it by Alex Moon / htmx / 16 min read
• The Risks of NPM: In this post, I’m talking about the Qix incident. by Jim Nielsen / npm, security / 3 min read
• Your Images Are (Probably) Oversized: Are you setting the sizes attribute on your img tags? by Henrique Yuji Rossetti Inonhe / img, html / 3 min read
• Why you should replace PostgreSQL with Git for your next project: Every developer knows the pain of choosing the right database for their project. by Florian Margaine / database, git / 8 min read
• PostgreSQL 18 Released!: Next major release of Postgres by PostgreSQL Global Development Group / postgres / 9 min read
• Announcing Cloudflare Email Service’s private beta: Feature to send emails by Thomas Gauvin, Celso Martinho / email, cloudflare / 10 min read
• Ollama Web search: A new web search API is now available in Ollama. by ollama.com / ai, ollama, search / 6 min read
• Our plan for a more secure npm supply chain: Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem. by Xavier René-Corail / security, npm, supply-chain / 15 min read
• An AI tool I find useful: One of the tasks that I do most often is to review code. I’ve written a review command that asks an AI to review a code sample, and I’ve gotten a lot of value out of it. by Bill Mill / ai / 4 min read
• Top Programming Languages 2025: JS and TS in Top 10! by IEEE Spectrum / programming, languages / 14 min read
• GitHub Copilot CLI is now in public preview: We’re bringing the power of GitHub Copilot coding agent directly to your terminal. With GitHub Copilot CLI, you can work locally and synchronously with an AI agent that understands your code and GitHub context. by GitHub / ai, cli, github, copilot / 4 min read
• Auth.js is now part of Better Auth: Auth.js, formerly known as NextAuth.js, is now being maintained and overseen by Better Auth team by Bereket Engida / auth / 3 min read
• First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails by Idan Dardikman / mcp, security / 10 min read
• Wild Performance Tricks: The tricks here are a few of my favourites that I’ve used in the Wild linker. by David Lattimore / rust, performance, linker / 13 min read
• Context is Key: How HubSpot Scaled AI Adoption by Brian LaMattina, Francesco Signoretti, Ze’ev Klapow / ai, adoption / 9 min read

🧰 Tools

• Feedmaker: Make your own feed by Kevin Schaul / rss
• Cachey: Read-through cache for object storage by cachey.dev / object-storage
• FumaDocs: The beautiful & flexible React.js docs framework. by fumadocs.dev / docs
• TanStack Start v1 Release Candidate: Full-stack Framework powered by TanStack Router for React and Solid by Tanner Linsley / tanstack, tanstart
• Dolphin: Document Image Parsing via Heterogeneous Anchor Prompting by bytedance / ocr
• Spec Kit: An effort to allow organizations to focus on product scenarios rather than writing undifferentiated code with the help of Spec-Driven Development. by GitHub / spec, development
• repo2txt: Web-based tool converts GitHub repository contents into a single formatted text file by Abin Thomas / ai, llm, conversion
• Color Generator: Nothing to add by Kigen / colors
• pgschema: Terraform-style, declarative schema migration for Postgres by pgschema.com / postgres, migration
• Quiet UI: A UI library for the Web focusing on accessibility, longevity, performance, and simplicity. by quietui.org / ui
• kitty: The fast, feature-rich, GPU based terminal emulator by Kovid Goyal / terminal
• zoxide: A smarter cd command. Supports all major shells. by Ajeet D’Souza / cd, shell