weeklyfoo #81

weeklyfoo #81 is here: your weekly digest of all webdev news you need to know! This time you’ll find 33 valuable links in 6 categories! Enjoy!

🚀 Read it!

• Stealing credentials via polymorphic Chrome Extension: A few days ago, I came across new research explaining a novel cybersecurity attack via polymorphic Chrome Extension. After watching the demo video, I was curious to understand how exactly it could be implemented and decided to spend some time recreating it. by Charlie Gerard / security / 11 min read
• How to be the best programmer, according to Daniel Terhorst-North: Great programmers are not born; they are made - says Daniel Terhorst-North, the author of the viral Twitter thread on the best programmer he knows. by Antonija Bilic Arar / engineering, performance / 9 min read

📰 Good to know

• Advanced React in the Wild: Production Case Studies from Ambitious Web Projects (2022–2025) by Addy Osmani, Hassan Djirdeh / react / 43 min read
• SVG: More about SVG. Note that the example code is written in JSX (or React), not ordinary HTML. by Fuma Nama / svg / 4 min read
• Everything Wrong with MCP: Explaining the Model Context Protocol and everything that might go wrong. by Shrivu Shankar / mcp / 19 min read
• How to Hire: Most companies hire the same way. They look for people who’ve already proven themselves elsewhere. They compete for the same small pool of established talent. This seems logical, but there’s a better approach. by Hardik Pandya / hiring / 6 min read
• The Post-Developer Era: Two years ago, in March 2023, I published a blog post called “The End of Front-End Development”. This was right after OpenAI released its GPT-4 showcase, and the general reaction was that human software developers were about to be made redundant, that software would soon be written exclusively by machines. by Josh Comeau / engineering / 15 min read
• How I don’t use LLMs: I enjoy shocking people by telling them I don’t use LLMs. by Argmin Gravitas / llms / 14 min read
• Tauri vs. Electron: performance, bundle size, and the real trade-offs: A breakdown of the choice between Tauri and Electron for cross-platform apps, backed by practical comparisons and benchmark data. by Costa Alexoglou / electron, tauri / 8 min read
• This is why you’re not shipping: Red flags for teams that want to ship fast by Andy Vandervell / engineering, performance / 11 min read
• Atuin Scripts: Shareable, Syncable Shell Snippets by Ellie Huxtable / shell, atuin / 4 min read
• The Second Half: tldr: We’re at AI’s halftime. by Shunyu Yao / ai / 13 min read
• How to write error messages that actually help users rather than frustrate them: One of the most consistently neglected parts of today’s user experiences is our handling of errors. by Amy Hupe / errors / 8 min read
• Staff+ self-onboarding questions: Useful questions to get a head start as a newly hired Staff, Principal, or Distinguished engineer by Alex Ewerlof / engineering, questions / 25 min read
• Principles for coding securely with LLMs: Writing code with LLMs is fundamentally different from other ways of programming. LLMs are often non-deterministic and always unpredictable. They have a capability that no other technology can match: the ability to interface with natural language. What does that mean for security? by Sean Goedecke / ai, security / 10 min read
• Hako: An embeddable, lightweight, secure, high-performance JavaScript engine. by Andrew Sampson / javascript, embeddable / 5 min read

🧰 Tools

• Datastar: Datastar helps you build reactive web applications with the simplicity of server-side rendering and the power of a full-stack SPA framework. by Star Federation / html, framework
• gh-signoff: Local CI. Sign off on your own work. by Basecamp / github
• ts-rest: RPC-like client, contract, and server implementation for a pure REST API by ts-rest.com / typescript, rpc
• Mossaik: Create beautiful abstract SVG images for your designs. by Gabriel Perales / svgs
• Lexe: Package your Node.js application into a single executable file, but only 10MB. by Ray-D-Song / nodejs
• Demo Magic: A handy shell script that enables you to write repeatable demos in a bash environment. by Paxton Hare / cli
• @11ty/image-color: Small utility to efficiently fetch the colors from an image. by Eleventy / images, colors
• MCP Shield: Security scanner for MCP servers by Nikita / mcp, security
• Scalar: An offline first API Client built for OpenAPI by scalar.com / api
• protobuf-ts-types: Zero-codegen, no-compile TypeScript type inference from protobuf messages by Nathan H. Leung / protobuf
• react-photo-sphere-viewer: Photosphere Viewer for React.JS by Elia Lazzari / react
• PureAnim: SVG animations! by Sebastian G. / svgs, animations
• ActorCore: Stateful Serverless That Runs Anywhere. The easiest way to build stateful, AI agent, collaborative, or local-first applications. Deploy to Rivet, Cloudflare, Bun, Node.js, and more. by actorcore.org / ai

🎨 Design

• The Post-UX Era: The article argues that UX has matured into a baseline expectation — usable, accessible, and consistent design is no longer a competitive edge but a standard. by Nate Schloesser / ux / 20 min read
• Introducing Kermit: A typeface for kids: Using design to empower children by making reading easier, improving comprehension, and helping dyslexics. by Rob McKaughan / fonts / 17 min read

📚 Tutorials

• A flowing WebGL gradient, deconstructed: In this post, I’ll break it down step by step. You need no prior knowledge of WebGL or shaders — we’ll start by building a mental model for writing shaders and then recreate the effect from scratch. by Alex Harri / webgl, shaders / 48 min read

📺 Videos

• VS Code Agent Mode Just Changed Everything: In this video, I’ll show you how to use agent mode, MCP Servers and PRD documents to build an entire app complete with database. by Burke Holland / vscode, ai