Hackers broke into Instagram accounts this week by doing something almost insulting in its simplicity: they asked Meta's AI for access. And it obliged.
That wasn't the only assistant caught leaking. ChatGPT's Google Sheets integration was shown quietly exfiltrating entire workbooks through a single poisoned cell. The pattern is getting hard to ignore — we keep bolting agents onto live systems faster than we secure the seams between them.
The strange part is that the foundation underneath has never been in better shape. Deno shipped its biggest release ever and now passes more of Node's own test suite than Bun does. Chrome started previewing native out-of-order HTML streaming — the trick HTMX and Turbo built entire frameworks around, baked straight into the browser.
So that was the week: the platform got more powerful and the AI layer bolted on top got leakier, both at once. Here's everything worth your time.
The Big 3
Deno's 2.8 release is less a runtime update than a statement of intent. Node compatibility jumped from 42% to 76.4% of Node's own test suite — higher than Bun's — and TypeScript 6 is now the default compiler. There are six new subcommands, big performance wins, and deno install now defaults un-prefixed packages to npm, dropping the old npm: requirement. The framing has clearly shifted: Deno is no longer trying to replace npm and Node, it's trying to become the best place to run them. The "drop-in Node replacement" race is suddenly very real.
Chrome 148 is experimenting with two new API sets that let you stream and patch HTML out of order — <template for> for declarative templating and setHTML/streamHTML for safely injecting markup as it arrives. If that sounds familiar, it's because HTMX, Turbo Streams, and React Server Components all built substantial machinery to do exactly this. Having it native in the browser is a genuine platform shift: server-driven UI and progressive HTML rendering without a framework babysitting the DOM. Early days and experimental, but this is the kind of primitive that quietly reshapes how we build over the next few years.
This week delivered two reminders that AI agents are now part of your attack surface. Researchers gained access to Instagram accounts essentially by asking Meta's AI assistant nicely, and separately, ChatGPT's Google Sheets integration was demonstrated exfiltrating entire workbooks via a single poisoned cell. Neither is a hypothetical proof-of-concept — both are working exploits against shipped products. The lesson for anyone wiring an LLM into a system with real permissions: the model will do what it's asked, and "what it's asked" now includes whatever an attacker can smuggle into its context.
Articles & Tutorials
React Performance Isn't About useMemo — It's About Render Boundaries (8 min)
A sharp reframing of React performance that moves the conversation away from sprinkling useMemo everywhere toward where your render boundaries actually sit.
Optimizing Build Times: Migrating from Webpack to Rspack (10 min)
Yelp halved its build times by moving to the Rust-powered Rspack, with honest notes on barrel files and the migration gotchas you'll hit.
New to the Web Platform in May (6 min)
The authoritative monthly roundup of what actually shipped across browsers — features, APIs, and deprecations you can rely on.
Web Serial Support Lands in Firefox 151 (5 min)
Firefox now lets JavaScript talk to microcontrollers, 3D printers, and other serial hardware directly from the browser.
Self-Correcting Color Systems With CSS contrast-color() (12 min)
A deep dive into building themes that automatically pick accessible foreground colors using the new contrast-color() function.
Uncovering the Magic Behind Playwright's Fixtures API (9 min)
A clear walk through how Playwright's fixtures actually work under the hood — useful if you write or maintain serious test suites.
Stop Writing Rules in AGENTS.md — Use Agent Hooks Instead (8 min)
postcss/autoprefixer author Andrey Sitnik on how to stop burning tokens teaching your coding agent things that belong in hooks and pre-commit instead.
Career & Takes
The State of the Software Engineering Job Market in 2026 (14 min)
A data-backed read on where hiring actually stands this year — what's cooled, what's heating up, and what it means for your next move.
Why We Should Call AI Agents "Clankers" (6 min)
Armin Ronacher makes a only-half-joking case for the language we use about agents — and why naming them honestly changes how we treat them.
Tools & Releases
Storybook 10.4 (3 min)
Adds first-class TanStack React support and agent-driven setup for getting Storybook running in complex apps.
Node.js v26.2.0 (3 min)
The latest Current release lands new APIs and fixes; LTS users stay on the v24 line.
pnpm 11.3 (4 min)
Adds pnpm stage for the new staged-publishing flow, plus trustLockfile and native pkg/repo/set-script commands.
Rust 1.96.0 (4 min)
A fresh stable Rust release for everyone shipping the Rust-powered tooling the JS world increasingly depends on.
Run Docker Containers Inside Vercel Sandbox (3 min)
Vercel Sandbox can now run full Docker containers, unlocking new CI and agent workflows in ephemeral environments.
Official Node.js Codemod: Axios → Fetch (2 min)
A maintained codemod that mechanically migrates Axios code to the native Fetch API.
Watch
All 17 TanStack Projects in ONE App! (24 min)
Jack Herrington stitches the entire TanStack ecosystem into a single working application.
The Forgotten Developer Who Saved JavaScript (11 min)
Fireship tells the story of the person who quietly kept JavaScript from going off the rails.
Scroll-Driven Animations Without Any JavaScript (16 min)
Kevin Powell builds genuinely useful scroll-driven animations using nothing but modern CSS.
GitHub's Plan for Agents — Kyle Daigle (60 min)
A candid conversation on where GitHub thinks coding agents are heading and how the platform is reorganizing around them.
Other Links
ChatGPT for Google Sheets Exfiltrates Workbooks — prompt injection via a single cell
Malicious npm Packages Hit Red Hat Cloud Services — supply chain reaches the enterprise
Restartable Sequences — low-level concurrency, deep and excellent
Cloudflare Cut Core Unit Boot Time From Hours to Minutes — serious firmware perf engineering
Kubernetes Dashboard Is Becoming Headlamp — the official successor explained
Launching the Rust Foundation Maintainers Fund — paying the people who keep Rust running
tinykeys 4.0 — tiny, modern keybindings library
Apache ECharts 6.1 — the charting workhorse gets an update
Partytown 0.14.0 — move heavy third-party scripts off the main thread
Vercel: Protecting Against Token Theft — practical auth hardening
Must-Know Failure Modes in Distributed Systems — solid fundamentals refresher
That's the week the platform got faster and the agents got chattier. If your AI assistant has been a little too helpful lately, hit reply and tell me about it — I read every one.
Until next week,
Niall