weeklyfoo #142 is here: your weekly digest of all webdev news you need to know! This time you’ll find 37 valuable links in 4 categories! Enjoy!
🚀 Read it!
- Stop Using JWTs: JWTs were never designed for session management — traditional cookie sessions are more secure, more flexible, and avoid the false promise of stateless auth by samsch / security, engineering / 23 min read
📰 Good to know
- The Log Is the Agent: The agent is the history of events that make up its data — this log concept lets agents be reconstructed and resumed, unlocking capabilities that make advanced agent use cases easier to reason about by TLDR / ai, agents, engineering / 1 min read
- The Only Scalable Delete in Postgres Is DROP TABLE: Large DELETEs leave dead tuples, add replication overhead, and don’t return disk space — structure your schema so bulk deletion becomes a DROP or TRUNCATE by PlanetScale / postgres, database, performance / 8 min read
- Don’t Trust Large Context Windows: LLMs have a reliable smart zone that degrades past roughly 100k tokens — effective attention is a small fraction of the advertised window size by Garrit Franke / ai, llm, performance / 4 min read
- AI Demands More Engineering Discipline, Not Less: AI makes generating code fast and disposable, shifting us from obsessing over individual lines to managing entire systems — this demands more rigor, not less by Charity Majors / ai, engineering / 21 min read
- A Backdoor in a LinkedIn Job Offer: A developer was targeted by a fake recruiter requesting a code review for a malicious GitHub repo — installing dependencies would silently execute a remote payload by roman.pt / security / 5 min read
- News from WWDC26: WebKit in Safari 27 Beta: Safari 27 ships 58 new features including customizable select, sizes=auto for lazy images, and CSS gap decorations by WebKit Team / css, frontend, browser / 67 min read
- CSS is Filling the Gaps: Gap decorations in grid and flex are now stable in Chrome 149 — style the space between rows and columns with column-rule, rule-inset, and more by Brecht De Ruyte / css, frontend / 13 min read
- A New Era For Software Testing: antirez on using AI agents as QA engineers — writing markdown specs that direct agents to exercise the full build on each release, replacing brittle scripted tests by Salvatore Sanfilippo / ai, testing / 4 min read
- WASI 0.3: WebAssembly System Interface 0.3 ships native async support for WebAssembly Components — a major milestone for WASM-based server and edge runtimes by Bytecode Alliance / webassembly, wasm / 9 min read
- How TanStack Cut TypeScript Type-Checking Work by Up to 86%: Using tsc diagnostics to find and eliminate expensive generic chains in TanStack Table v9 — concrete techniques reusable in any type-heavy library by TanStack / typescript, performance, react / 23 min read
- Don’t Run SQL Migrations in Tests: Content-addressing database state by hashing all migration scripts lets a test suite clone a cached database instead of running every migration per test — halved one Go project’s test time by Guillaume Gaultier / go, testing, database / 12 min read
- Babel 8.0: The JavaScript compiler’s first major release in eight years ships as ESM-only with dropped support for older Node.js versions and legacy polyfills by Babel Team / javascript, tooling / 11 min read
- The Scope of CSS @function: CSS custom functions resolve variables from where they are called rather than where they are defined — unlike custom properties they don’t inherit through the DOM, letting library authors encapsulate complex logic behind clean APIs by Jane Ori / css, frontend / 14 min read
- You Got Faster, Your Company Didn’t: AI makes individual developers dramatically more productive but organizational structures built for slower output haven’t adapted — the bottleneck has moved from writing code to reviewing, merging, and coordinating by Terrible Software / ai, engineering, productivity / 5 min read
- Node.js Security Releases: Eleven vulnerabilities fixed across Node.js 26.3.1, 24.17.0, and 22.23.0 — two rated high severity: a TLS hostname normalization bug and a WebCrypto flaw by Node.js Team / nodejs, javascript, security / 4 min read
- Large-Scale Malware Distribution Found on GitHub: A campaign using 10,000 repositories distributes Trojan malware disguised under various project names — repos constantly delete and re-add commits to complicate detection by Orchid Files / security, github / 10 min read
- TypeScript 7.0 RC: The release candidate ships the Go-based rewrite — 10x faster type-checking with no code changes required by Microsoft / typescript, javascript / 20 min read
🧰 Tools
- Ponytail: AI senior developer tool that produces efficient, minimal code at low cost and fast speeds — prioritizes native solutions over over-engineered abstractions and works with every model by DietrichGebert / ai, tools, cli
- SQL to ER Diagram: Paste a SQL schema and instantly generate a clean, interactive ER diagram by sqltoerdiagram / tools, database, sql
- mac-ocr: CLI tool built on Apple’s Vision framework for local, offline OCR on macOS — no cloud API required by Hiroki Osame / cli, tools, macos
- LikeC4: Architecture-as-code platform — describe your software systems in a DSL and get live, always-up-to-date architecture diagrams generated automatically by LikeC4 / tools, architecture
- MDN MCP Server: Bring MDN’s web platform documentation and browser compatibility data into any AI agent or IDE — accurate up-to-date answers instead of relying on stale model training data by MDN Team / mcp, ai, tools, web
- Epiq: Git-backed issue tracker with a TUI and kanban board — issues live with the code, work offline, and use append-only events to avoid conflicts by ljtn / tools, git, cli
- databow: CLI to run SQL against any ADBC database — supports DuckDB, BigQuery, Postgres, and SQLite with syntax highlighting and multiple output formats by Columnar Tech / tools, database, cli
- Prop for That: Bridges JavaScript values to CSS custom properties declaratively — mouse position, slider values, and the current time available as live CSS properties via a single HTML attribute by Adam Argyle / css, javascript, tools
- Lore: Epic Games’ open-source version control system optimized for projects combining code with large binary assets — verifiable tamper-evident history with an interface built for both developers and artists by Epic Games / tools, git, gamedev
- Eve: Vercel’s open-source agent framework with built-in durable execution, sandboxed computing, and human-in-the-loop approvals — agents are defined as a directory of files specifying components, actions, and connections by Vercel / tools, ai, agents
- NUB: All-in-one toolkit from Zod’s creator that augments Node.js — adds full TypeScript support beyond type stripping, faster and more secure package installation, and richer .env handling without replacing your package manager by Colin McDonnell / nodejs, typescript, tools
- Iroh 1.0: Peer-to-peer encrypted networking stack that punches through NAT and firewalls — built in Rust with official Node.js bindings for adding direct, private connections to any app by Iroh / nodejs, networking, tools, p2p
- Playwright 1.61: Now supports registering and testing passkeys, plus a new WebStorage API for reading and writing localStorage and sessionStorage directly in tests by Playwright Team / testing, javascript, tools
- Clear: Programming language where the spec and implementation are the same file — no translation step, no drift between docs and behavior, compiles to any target without modifying the spec by Şahin Özdemir / tools, ai, agents, programming
- Deno Desktop: Electron alternative built on Deno instead of Node.js — native window APIs with smaller binary size and faster startup by Deno / deno, javascript, tools
- ASCILINE: A high-performance, real-time ASCII video rendering engine. Streams binary-encoded frames via WebSockets for ultra-low latency, 30 FPS playback using HTML5 Canvas and requestAnimationFrame. by SteadyW / ascii, animation
- Flue 1.0 Beta: Cloudflare’s open-source agent framework beta — built on Workers and Durable Objects as a rival to Vercel’s Eve by Cloudflare / ai, agents, tools
🤪 Fun
- The Virtual OS Museum: A Linux VM that runs over 1700 historical operating systems from 1948 to present under emulation — mainframes, Unix variants, home computers, and mobile by virtualosmuseum.org / history, fun, os / 10 min read
- Sketching the Impossible: A 3D portfolio built without a single 3D model — pure CSS and creative technique by Codrops / css, frontend, portfolio, fun / 19 min read