weeklyfoo #140

weeklyfoo #140 is here: your weekly digest of all webdev news you need to know! This time you’ll find 37 valuable links in 4 categories! Enjoy!

🚀 Read it!

How to Evaluate an npm Package: 2026 Edition: A practical checklist for vetting packages beyond star counts — provenance attestation, install scripts, CI quality, and maintainer responsiveness by Gabor Koos / npm, javascript, security / 17 min read

📰 Good to know

You Must Fix Your Asserts: Disabling assertions in production lets software run under false assumptions — keep them active to trigger panics on violation or use them as compiler optimization hints by Loris Cro / debugging, assertions, code-quality / 15 min read
Build Agents, Not Pipelines: Pipelines use fixed logic for predictability at scale; agents manage their own control flow for complex reasoning — a practical guide to knowing which to reach for by Sean Goedecke / ai, agents, llm / 13 min read
Figma Make, Now on Your Local Code: Designers can now edit directly in the production codebase from Figma — visual edits, annotations, and PR creation without context switching by Figma / figma, design, tools / 9 min read
Your Process’ Memory Is a File: Linux’s /proc/pid/mem allows direct read and write access to a process’s address space using standard file semantics by Michal Zalewski / linux, systems / 7 min read
Websites Have a New Way to Spy on Visitors: Analyzing Their SSD Activity: The FROST method uses JavaScript to measure SSD timing patterns and infer which apps and tabs a visitor has open — a covert browser-based side-channel by Ars Technica / security, privacy, browser / 7 min read
Dozens of Red Hat npm Packages Backdoored: Supply chain attack via the official npm channel — dozens of packages compromised through a hijacked publishing account by Ars Technica / security, npm, supply-chain / 7 min read
Why Does tsgo Use So Much Memory?: A deep dive into the Go-powered TypeScript 7 compiler and why it can chew through gigabytes on large projects by Zack Radisic / typescript, performance, compilers / 12 min read
1-Click GitHub Token Stealing via a VSCode Bug: A vulnerability in VSCode’s webview security model lets attackers steal GitHub tokens through a single malicious link by bubbling keyboard events from isolated iframes by Ammar Askar / security, vscode, github / 14 min read
Chrome DevTools MCP Server Stable in Chrome 149: The MCP server and CLI for Chrome DevTools letting AI coding agents drive debugging and perf audits is now officially stable by Chrome for Developers / chrome, devtools, mcp, ai / 10 min read
HTML-in-Canvas API Origin Trial: Draw live interactive HTML and CSS into a canvas element — combining DOM accessibility and text layout with performant low-level graphics by Chrome for Developers / html, canvas, chrome, frontend / 8 min read
Frontend’s Missing Metric: The TBT Window: A case for tracking the FCP-to-TTI interval where TBT is counted — TBT can silently regress with no real change in blocking work as FCP or TTI shift by Harry Roberts / performance, css, web-vitals / 19 min read
Handling Graphs with SQL/PGQ in Postgres 19: Postgres 19 adds SQL/PGQ support — declare a property graph over tables and pattern-match with Cypher-like MATCH queries, all rewritten to relational queries by the planner by Hans-Jürgen Schönig / postgres, graphs, sql / 1 min read
The Night Our Tables Wouldn’t Stop Growing: A production incident where a stray statement_timeout quietly broke logical replication and caused tables to balloon overnight by Semab Tariq / postgres, production, incident / 11 min read
VoidZero Joins Cloudflare: The company behind Vite, Vitest, Rolldown, and Oxc is joining Cloudflare — the JS toolchain stack with the most momentum just found a new home by Cloudflare / javascript, vite, tooling / 13 min read
Every Byte Matters: Packing data into Struct-of-Arrays instead of Array-of-Structs aligns access with cache lines — the technique can yield up to 30x performance improvements on sequential workloads by Fathi Zakaria / performance, engineering, systems / 6 min read
How We Contain Claude Across Products: Anthropic’s multi-layered containment approach — sandboxes, VMs, strict egress controls, and model training — limits agent blast radius more reliably than human supervision alone by Anthropic / ai, security, engineering / 24 min read

🧰 Tools

Website Spec: A platform-agnostic specification of the technical features every decent website should have. by Joost de Valk / spec, web, seo, a11y
Sandcastle: Provider-agnostic TypeScript library for running AI coding agents in isolated sandboxes — Docker, Podman, or Vercel by Matt Pocock / ai, typescript, agents
Flowsint: Open-source graph-based OSINT tool that maps relationships between domains, IP addresses, and social media profiles by reconurge / security, osint, tools
Hocuspocus 4: Plug-and-play real-time collaboration backend based on Yjs — runs on Node, Bun, Deno, or Cloudflare Workers by Tiptap / collaboration, yjs, real-time
React Native Runtimes: Run React Native components and functions across multiple JS threads to prevent main UI lag — offload heavy work like chat screens and large lists to dedicated secondary runtimes by Margelo / react-native, javascript, performance
Paseo: Self-hosted, privacy-focused platform for orchestrating and running multiple AI coding agents across mobile, desktop, and CLI environments by getpaseo / ai, agents, tools
HueGrid: Generate gradients across 22+ modes including mesh blending, noise-based organics, aurora effects, and particle fields by HueGrid / design, gradients, tools
Letterbox: Pick a font, choose your colors, and watch letters shaped by text come alive — a typographic playground by Letterbox / typography, design, fun
Liquid DOM: DOM-based implementation of Apple’s liquid glass effect using HTML-in-Canvas and WebGPU by AndrewPrifer / css, webgpu, frontend, demo
Curlwind: No-build Tailwind utility generator — drop in a CDN URL with query params specifying only the classes you need, any variants, and custom prefixes by Steve Bauman / tailwind, css, tools
Code Wiki: Gemini-generated repo documentation that stays up-to-date — generates natural language summaries and architecture diagrams for any repository by Google for Developers / ai, documentation, tools
DeltaX: Columnar storage extension for time-series data in Postgres — uses regular tables so replication, backups, and pg_dump work as usual by Xata / postgres, time-series, extensions
replacements.fyi: Type in an npm package name and get lighter alternatives or Node.js built-in equivalents — is-number becomes a one-liner, axios becomes fetch, chalk becomes util.styleText by e18e / npm, javascript, tools
Mnemo: Local-first AI memory layer that stores persistent knowledge in a SQLite knowledge graph and injects relevant context into LLM sessions automatically by zaydmulani09 / ai, memory, tools
Open Code Review: AI-powered code review CLI that reads git diffs, sends files to a configurable LLM via an agent with tool-use capabilities, and generates structured review comments with line-level precision by Alibaba / ai, code-review, cli
Boxes: Cloud workbench for running multiple AI coding agents in parallel within isolated, persistent virtual machines — monitor and manage from any device by Boxes / ai, agents, tools
The Auth Book: Free comprehensive guide to authentication — sessions, passkeys, OAuth, and CSRF prevention for developers who want to understand the fundamentals by Pilcrow / auth, security, web

📺 Videos

Stop Using :invalid and :valid — Use This Instead: A 3-minute CSS tip on a better approach to inline form validation using CSS without JavaScript hacks by Zoran Jambor / css, forms, frontend
Postgres at 30 — A Chat with Its Creator: Mike Stonebraker covers how Postgres came to be, where Google and Amazon get databases wrong, and what he’s building next by The Peterman Pod / postgres, interview, databases
All 17 TanStack Projects in One App: 14-minute tour of the entire TanStack ecosystem — Start, Router, Form, Query, and more all demonstrated in a single application by Jack Herrington / javascript, tanstack, react