Sponsored by
One of the people who taught a generation of developers JavaScript just pulled his life's work off the internet.
Dr. Axel Rauschmayer — Exploring ES6, JavaScript for Impatient Programmers, and 2ality.com, a blog that's been a free reference desk for the language since 2009 — took the whole thing offline this week. Not because he wanted to. Because AI crawlers were hammering his server hard enough that hosting it stopped being worth it. The bots trained on his explanations of JavaScript made it too expensive to keep those explanations online.
That was the week in one story, but it wasn't the only one. Bun merged its Rust rewrite — a huge, largely AI-translated port of a runtime a lot of you now ship to production — with maintainers openly asking whether anyone fully understands the new code. And npm got hit by another supply-chain wave, 300-plus packages compromised, finally prompting a serious proposal to turn install scripts off by default.
A reference site, a runtime, a registry. Three different layers of the stack, and the same pressure showing up in each: AI is moving faster than the humans expected to maintain, review, and pay for the web underneath it.
Two weeks of this piled up while work and life both decided to happen at once — apologies for the missed issue — so this one's dense. We're back on the program. Here's everything worth your time.
The full software lifecycle. Now in the age of AI.
WeAreDevelopers World Congress comes to San José, CA — September 23–25, 2026. 10,000+ developers, 500+ speakers, and the full software development lifecycle under one roof, in the heart of Silicon Valley.
Kelsey Hightower. Thomas Dohmke (fmr. CEO, GitHub). Christine Yen (CEO, Honeycomb). Mathias Biilmann (CEO, Netlify). Olivier Pomel (CEO, Datadog). The people actually building the tools you use every day — all on one stage.
AI, cloud, DevOps, security, architecture, and everything real builders ship with. Workshops, masterclasses, and the official congress party.
The Big 3
The rewrite from Zig to Rust — teased a couple of weeks ago as an experimental commit — got merged this week. The headline isn't the language swap; it's that the port was largely done by AI, and the maintainers themselves flagged questions about its quality. Rust may cut memory-safety bugs, but a large AI-translated codebase can pass every test while quietly hiding untested invariants and edge cases nobody fully understands. If you've moved production workloads onto Bun, this is the week to read the discussion and know what your fallback is. It's also a live preview of a question every team will face soon: can you maintain code no human ever really wrote?
Axel Rauschmayer has been one of JavaScript's great explainers for fifteen years — 2ality.com and books like Exploring ES6 taught the language to a huge chunk of the industry, for free. This week he took the blog and the books offline, overwhelmed by AI crawler traffic. It's a small story with a big shape: the open, freely-readable web that developers were raised on is becoming too expensive to host precisely because it's so useful to scrape. Buy his books if you learned from them — they're still for sale — and notice that "someone will just put it online" is quietly stopping being true.
Another week, another Shai-Hulud-style wave: 300-plus npm packages compromised, including popular ones from the antv family and timeago.js. The more important development is the response — a GitHub-authored RFC proposing that npm finally make dependency install scripts opt-in. npm is the only major package manager that still runs postinstall and friends by default, and it's been the entry point for attack after attack. The RFC weighs the tradeoffs honestly; it will break some workflows. But after this many incidents, "secure by default" is overdue. If you're not auditing installs already, npq sits in front of npm and checks packages first.
Articles & Tutorials
Soon We Can Finally Banish JavaScript to the ShadowRealm (6 min)
Mat Marquis tours the TC39 ShadowRealm proposal — running JavaScript in an isolated pseudo-realm with its own globals and intrinsics — and why it's the right tool for third-party code or anything you want kept out of global scope.
Moving Away From Tailwind — and Learning to Structure My CSS (10 min)
Julia Evans on dropping Tailwind from her own projects and actually learning to organise plain CSS — honest, practical, and a useful counterweight if utility classes have quietly become a reflex.
Cross-Document View Transitions: The Gotchas Nobody Mentions (18 min)
Durgesh Pawar's deep dive into everything the docs skip about cross-document view transitions — timing, lifecycle, and the edge cases that bite once you ship them on a real multi-page site.
Project Glasswing: What Mythos Showed Cloudflare (13 min)
Cloudflare's first writeup from pointing a frontier security model at live code: AI that chains primitives into working exploits, proves bugs by compiling and running them, and gets sharper when a second adversarial agent is told only to disprove the first.
Mark Erikson's Agent Setup, Workflow, and Tools (15 min)
The Redux maintainer goes deep on his actual daily AI workflow — OpenCode, how he manages a knowledge base and tasks, and what's worked. Specific and unhyped, the rare "here's my real setup" post.
Why Some Browsers Render Big Sites Differently (6 min)
Den Odell on a genuinely surprising fact: Firefox and Safari ship built-in per-site "interventions" that quietly patch popular sites that don't render correctly by default. A reminder of how much invisible compatibility glue holds the web together.
Nodebook: An Advanced Guide to Node.js Internals (guide)
Eight in-depth chapters on what's actually happening under Node — event loop internals, what V8 does, streams, module resolution, async/await. A proper internals reference, free to read.
Better Fluid Sizing With CSS round() (5 min)
Ahmad Shadeed shows how round() cleans up fluid typography and spacing, snapping fluid values to sensible steps instead of letting them drift to awkward sub-pixel sizes.
Career & Takes
Stack Overflow: When We Stop Asking (7 min)
The steep, ongoing decline in Stack Overflow questions, and what's lost when developers stop asking in public and start asking a model in private — for the asker, and for everyone who'd have learned from the answer.
5 Years and $5M Later: Inventing a New Language for Web Dev Was a Mistake (18 min)
Wasp's founders are honest about a hard call: the framework idea worked, the "new language" framing didn't. They're moving to TypeScript while keeping the model — a rare, useful retrospective on adoption friction.
AI's Impact on Software Engineers in 2026, Part 2 (13 min)
Gergely Orosz on the tradeoffs of AI tooling, why company-level adoption is genuinely hard, and what's actually changed in two years of engineers using these tools day to day.
Agent Pull Requests Are Everywhere. Here's How to Review Them (8 min)
Agent-generated PRs look clean and pass tests while quietly adding redundancy and debt. A practical guide to reviewing them: block weakened CI, catch duplicated utilities, trace critical paths, demand scoped changes.
Tools & Releases
Google I/O 2026: Gemini 3.5 Flash, Spark, and Antigravity (6 min)
Google's I/O dropped Gemini 3.5 Flash (no "preview" tag, slated to power everything), Spark background agents, and more — plus a heads-up that the Gemini CLI is being retired for an Antigravity CLI in June.
Anthropic Acquires Stainless (6 min)
Stainless — the SDK-generation company behind the official client libraries for a lot of APIs you already use — joins Anthropic. Worth watching if you depend on auto-generated SDKs.
Express.js Gets a New Look (3 min)
The web's most quietly load-bearing framework ships a new site, logo, and properly improved docs — a small but welcome sign of life from a refreshed Express.
Angular 22 Release Candidate (4 min)
Final is due early June. Expect signal-based forms and the OnPush change-detection strategy becoming the default — the signals migration continuing in earnest.
Pica 10.0: High-Quality Image Resizing in the Browser (4 min)
The in-browser image resizer's first big release since 2021 — WASM + Web Workers with a pure-JS fallback, now ESM, split builds, and migrated to TypeScript.
Alien Signals: "The Lightest Signal Library" (3 min)
A push-pull reactivity core distilled from Vue, Preact and Svelte — so well-tuned it got merged back into Vue itself. A neat look at modern signals if you want the primitive without a framework.
Watch
The TanStack Start Story: Tanner Linsley on Competing With Next.js (40 min)
A candid interview with TanStack's founder on building a full-stack framework, the bet behind TanStack Start, and going up against Next.js.
5 Underrated CSS Properties Every Developer Should Know (12 min)
Kevin Powell on five CSS properties that quietly solve problems you've probably been working around with more code.
A Single PR Just Hijacked the npm Registry (6 min)
Fireship's fast breakdown of the latest npm supply-chain attack — a clean two-minute primer to send anyone who asks what happened.
The New CSS text-box Property Is a Game Changer (12 min)
Web Dev Simplified on text-box — trimming the inconsistent space above and below text so vertical alignment finally behaves.
Other Links
Andrej Karpathy Joins Anthropic — the "godfather of vibe-coding" makes a move
Deno 2.8 Teased — Node compat, import defer, TS 6.0.3
We Are Leaving Bun — For Now — one team's migration back, explained
Chrome and Edge Are Building an <install> HTML Element — a trusted install button for PWAs
GitHub Investigating Unauthorized Access to Internal Repos — disclosed, investigation ongoing
Stopping AI Bot Spam With Git's --author Flag — a small, clever crawler defence
ORDER BY Has Come a Long Way — non-selected columns, expressions, null ordering
The Third Hard Problem: A Deep Dive on Tree Mapping — after naming things and cache invalidation
Rolldown 1.0.1 — the Rust bundler hits its first stable patch
The Last Six Months in LLMs in Five Minutes — Simon Willison's annotated lightning talk
A reference site, a runtime, a registry — three layers of the stack, all feeling the same squeeze this week. None of it means the tools are bad; it means the maintenance, the review, and the bill haven't caught up yet. The most useful thing you can do this week is small: audit one dependency's install scripts, and buy a book from someone who taught you something. If a piece of the open web mattered to you, hit reply and tell me which — those replies are the ones I read first.
Until next week (for real this time),
Niall