weeklyfoo #137

weeklyfoo #137 is here: your weekly digest of all webdev news you need to know! This time you’ll find 28 valuable links in 5 categories! Enjoy!

🚀 Read it!

• TanStack npm Packages Compromised in Ongoing Supply-Chain Attack: 84 TanStack packages with over 12M weekly downloads hit in a supply-chain attack — deprecated versions pulled, GitHub Actions hardened with repo-owner guards and pinned action refs by Socket / security, javascript, npm / 20 min read

📰 Good to know

• The Anatomy of an Agent Harness: An AI agent is the functional combination of a core LLM and a surrounding harness — code, config, and logic for durable state, sandboxed execution, context compaction, and verification loops by LangChain / ai, engineering / 14 min read
• The Unwritten Laws of Software Engineering: When production fails, roll back before debugging — and treat all untested recovery plans as fictional. Hard-won rules about dependencies, four-eyes checks, and why temporary fixes become permanent by manager.dev / engineering / 8 min read
• I Returned to AWS and Was Reminded Hard Why I Left: Account suspension, unresponsive support, hidden billing, exorbitant egress fees, and vendor lock-in — one dev’s frustrating attempt to come back to AWS after years away by fourlightyears / cloud, aws, opinion / 9 min read
• HTML in Canvas: A new experimental API lets you put a layoutsubtree attribute on a canvas element to render real HTML inside it — opening up physics, distortion, and custom rendering effects on actual DOM content by Frontend Masters / frontend, web / 24 min read
• How to Control Infinite CSS Animations: Combining and tweaking infinite CSS animations is harder than it looks — animation-composition property to the rescue by Frontend Masters / css, frontend / 13 min read
• The Slop Cannons In Your Engineering Org: A field guide to the engineer shipping huge AI-generated PRs they can’t explain — confusing velocity for progress — with a manager’s checklist for spotting and fixing the pattern by Jake Handy / ai, engineering, management / 12 min read
• A New HTML Element for Installing Web Apps: Chrome and Edge are testing a new install element that renders a trusted install button for PWAs with no JavaScript required — and how it compares to the Web Install API by Patrick Brosset / frontend, web, pwa / 9 min read
• 5 Years and $5M Later: Inventing a New Language for Web Dev Was a Mistake: The Wasp co-founder reflects on why building a custom programming language for web development was a mistake — too much friction with developer adoption and high IDE tooling maintenance costs — now transitioning to a TypeScript-based SDK by Wasp / engineering, opinion / 20 min read
• How To Work and Compound With AI: Every finished artifact — code, docs, analysis, decisions — becomes context for the next AI session and each correction updates a config that reduces future errors — a practical guide to making AI work compound over time by Eugene Yan / ai, productivity / 14 min read
• Patterns For Reducing Friction In AI-Assisted Development: The practices that make pair programming effective — onboarding, design discussion, shared standards — apply equally to AI coding assistants — five patterns for shifting from correcting a tool to collaborating with a teammate by Rahul Garg / ai, engineering / 13 min read

🧰 Tools

• Trees: Open-source library for high-performance file tree rendering in web apps — automatic virtualization for large datasets, built-in Git status indicators, and drag-and-drop support by pierre.computer / javascript, tools
• Mochi: High-fidelity browser automation library for the Bun runtime that prioritizes fingerprint consistency over simple randomization to bypass modern bot detection by 0xchasercat / bun, automation, tools
• Fontastic Space: A font pairing playground that puts Google Fonts side by side, visualizes how each letterform behaves next to the others, and scores which combinations actually work by Fontastic / design, fonts, tools
• Griddy Icons: Free open-source icon family with a unique utilitarian vibe by Filip Gres, Zuzana Benova / design, icons, tools
• e2a: Authenticated email gateway for AI agents with SPF/DKIM verification and HMAC signatures — lets agents communicate with humans via cloud webhooks or WebSocket without needing public URLs by Mnexa-AI / ai, tools
• Smallbits: Free set of 290+ pixel-style icons drawn on an 8x8 grid — available in Figma and SVG by Smallbits / design, icons, tools
• Wakaru: Feed it minified bundled JavaScript and get readable source modules back — useful for code recovery, reverse-engineering, and security auditing, with an online playground by Pionxzh / javascript, security, tools
• BlueJS: Ahead-of-time JavaScript compiler that produces tiny native binaries — 5ms startup, 3.8MB peak memory, GUI app in 1.2MB by bluejs.dev / javascript, tools
• Statewright: State machine guardrails that regulate AI agent tool access during workflow phases — narrows the problem space and increases coding benchmark success rates by Statewright / ai, tools
• AgentMemory: Persistent long-term memory server for AI coding agents including Claude Code and Cursor — hybrid search across sessions reduces token consumption by over 90% by Rohit Ghumare / ai, tools
• pg_flight_recorder: Pure SQL Postgres extension using pg_cron to continuously snapshot state — pg_stat_activity, locks, statements — giving you a rolling history of what was happening when things went wrong by Dmitry Ventin / postgres, databases, tools
• boring: SSH tunnel manager that simplifies opening, persisting, and listing tunnels — supports TCP and sockets including a reverse SOCKS5 proxy, configured via TOML by Alexander Becker / cli, ssh, tools
• Syncpack 15.0: CLI tool used by Electron, Cloudflare, and Vercel that finds and fixes dependency version mismatches across entire monorepos and enforces version policies — v15.0 adds pnpm and Bun catalog support and a default release age cooldown by Jamie Mason / javascript, monorepo, tools
• Mockdown: Free browser-based ASCII wireframe editor for creating UI mockups, lo-fi prototypes, and text diagrams by Mockdown / design, tools
• Orval: Given an OpenAPI v3 or Swagger v2 spec, generate type-safe models, request functions, React Query hooks, and mocks for React, Vue, Svelte, and Solid — also generates server-side code by Victor Bury / typescript, openapi, tools

🤪 Fun

• Cursor Camp: An interactive web experience from Neal.fun full of hidden goofy details to discover — cursors swimming in a lake, anyone? by Neal.fun / fun, web / 1 min read

📺 Videos

• TanStack Start vs Next.js with Tanner Linsley: A candid interview covering TanStack’s business model, why Start exists alongside Next.js, and framework-agnostic thinking while still deeply focusing on React by Nuno Maduro / javascript, react