In partnership with
A regular user can get root on most Linux boxes this week with a Python script.
Not a hypothetical. Not chained-exploit dependent. A flaw that's been sitting in the kernel since 2017 was disclosed publicly this week as Copy Fail (CVE-2026-31431), and the proof of concept is short enough to paste into a chat. If you run anything multi-tenant — container clusters, shared CI runners, your own VPS — you have work to do today.
Meanwhile, Zed shipped 1.0. Five years after the team behind Atom decided to throw out the architecture they built and rewrite an editor like a video game, the result is finally stable. GitHub had its second public availability post-mortem in two months and patched a critical RCE in its git push pipeline in under two hours. And Node.js 26 dropped with the Temporal API turned on by default — meaning JavaScript's most-mocked builtin, the Date object, finally has a working successor in every Node app you'll write next year.
The platform underneath you got faster. The platform between you and your users had a 9-year-old root exploit on its desk. And the platform on top of you patched a critical bug while admitting it can't keep up with how fast it's growing. Here's everything else worth your time.
Ghost: Free Postgres For Agents
Agents are desperate for ephemeral databases.
They spin up projects, fork environments, test ideas, and tear them down. Over and over. But every database on the market was designed for humans who provision once and stick around. Agents don't work that way.
Ghost is a database built for agents. Unlimited databases, unlimited forks, 1 TB of storage, and 100 compute hours per month. All free. Try it here.
The Big 3
Zed hit 1.0 this week, five years after the team behind Atom restarted from a blank file. The editor is built in Rust on a custom GPUI framework that treats text rendering more like a game loop than a DOM tree, and the payoff is the headline-feature most other editors can't match: it stays responsive on huge files and large monorepos where VS Code starts to choke. Multi-language support, collaborative editing, deep AI-native features (with a model-agnostic story, not a tied wallet), and a plugin system are all in the box. Whether or not Zed wins your daily-driver slot, this is the first credible "from scratch" challenger to the Electron editor era — and it took the people who built Electron's most popular editor to ship it.
GitHub disclosed and patched a critical remote code execution vulnerability in its git push pipeline (CVE-2026-3854) in under two hours after a security researcher found it via AI-assisted reverse engineering. The same week, Vlad Fedorov published a fresh availability post-mortem covering the recent merge queue incident — the second public reliability mea culpa in two months, with GitHub openly admitting that AI-driven traffic growth has pushed the platform past its current scaling limits. The two stories together tell one: GitHub is straining at the seams, fixing its way out at speed, and being unusually honest about it. Theo's video below ("the painful death of GitHub") is the loudest take, but it isn't a fringe one anymore.
Node.js 26 (Current) landed this week with the Temporal API enabled by default after the V8 14.6 upgrade. That means the long-promised replacement for Date — proper time zones, calendar arithmetic, durations, and immutable instants — is just there in every new Node project, no flags, no shims, no Tom Cruise-tier polyfill bundle. JS Weekly has a clean rundown of what else is in 26 (alongside everything that landed in ES2025/ES2026: iterator helpers, Promise.try, Map.getOrInsert, using). For anyone who's been writing date math by hand for fifteen years, this one's not subtle.
Articles & Tutorials
The React Compiler at Eighteen Months (11 min)
A year and a half after React 19 shipped the stable compiler, the real impact has been quieter than the benchmarks: bug elimination beats raw speed. A clear-eyed look at what the compiler actually fixed, what's still debated ('use no memo' as creeping technical debt), and what's coming.
What's Actually New in JavaScript (and What's Coming Next) (8 min)
Iterator helpers, Promise.try, Map.getOrInsert, using, Temporal — every relevant ES2025 and ES2026 feature in one place, with code, instead of fifty scattered TC39 posts.
Scroll-Driven Animations (3 min)
Josh Comeau on the new animation-timeline API. Native scroll-linked animation, no JS, broad browser support — and a couple of really good demos to copy from.
Debugging WASM in Chrome DevTools (7 min)
Eli Bendersky on Chrome's "very capable" WASM debugger — what it does well, what to watch for, and why it's now reasonable to write production WASM without flying blind.
FastCGI: 30 Years Old and Still Better for Reverse Proxies (7 min)
A genuinely surprising argument: HTTP-to-HTTP reverse proxying inherits HTTP's worst footguns (desync attacks, header trust ambiguity), and FastCGI sidesteps all of them. A reminder that "modern" isn't always the better default.
The End of "Just Ask Sarah" (6 min)
Human engineers can rely on tribal knowledge. Coding agents can't — they have a context window and amnesia between sessions. The post argues that this gap creates "intent debt" and forces teams to write down things they've never had to write down before.
How Stripe Detects Fraudulent Transactions Within 100ms (14 min)
ByteByteGo's deep dive on Stripe Radar — feature stores, model serving, and the architecture that makes a sub-100ms decision on every charge. A real-world ML systems read.
Career & Takes
The Last Software Engineer (7 min)
A sharp argument that as agents take over implementation, the durable skill isn't writing code — it's owning the consequences. Judgment, not throughput.
How to Be Successful Interviewing for Big Tech (10 min)
Postman's hiring lead makes the case that LeetCode interviews don't predict the job, and shares what an interview that mirrors actual engineering work — including AI use — looks like in 2026.
"I Don't Want to Vibecode — I Want Professionally Managed Code" (3 min)
Matthew Yglesias, five months in, putting words on something a lot of senior engineers have been circling for months. Quoted via Simon Willison.
Tools & Releases
Rspack 2.0 (4 min)
The Rust-based, webpack-compatible bundler is 10% faster than v1.7, ships better tree-shaking via stronger static analysis, and adds experimental RSC support. Rsbuild 2.0 dropped the same day.
Fresh 2.3 (4 min)
Deno's full-stack framework gains first-class WebSocket support, ships zero JS by default for static pages, and turns the View Transitions API on with a single attribute. The kind of release that makes Fresh worth a second look.
TSRX: A TypeScript Language Extension for Declarative UIs (3 min)
A new attempt at improving on JSX from a Svelte maintainer and former React core engineer. Control flow, scoped styles, locals — and it compiles to React, Preact, Solid, and Ripple. Niche, but the lineup of who built it makes it worth a look.
Aube — A New Rust-Powered JS Package Manager (3 min)
From the creator of Mise, a fresh contender focused heavily on raw performance. The benchmarks page is the pitch.
Mistral Vibe Agents — Mistral Medium 3.5 for Async Coding (6 min)
A 128B dense model wired into remote agents that run long async coding tasks in the cloud, kicked off from the CLI or Le Chat. SWE-Bench Verified scores are competitive; the more interesting bit is the "kick it off and walk away" UX.
Watch
The Easiest (and Some New) Ways to Center With CSS (10 min)
Kevin Powell on the modern centering toolkit. Better than the meme.
How to De-Slop a Codebase Ruined by AI (10 min)
Matt Pocock on the patterns he's using to claw back maintainability in codebases where AI moved faster than the discipline did. Practical, not preachy.
Syntax Episode 1,000 (60 min)
Wes and Scott hit four digits. A quietly remarkable thing for a developer podcast — worth a listen for the reflection on how the JS ecosystem has changed under their feet.
Other Links
Copy Fail (CVE-2026-31431) — 9-year Linux kernel root flaw, patch today
Zig's Anti-AI Contribution Policy — strictest stance of any major OSS project
"Be Brief" Beat a 600-Line Claude Compression Plugin — two words, same results
Claude Code's HERMES.md Mishap — the bug that billed users $200 over a filename
Kubernetes 1.36 — Mutable Pod Resources for Suspended Jobs — beta, finally
Cloudflare Post-Quantum IPsec Goes GA — hybrid ML-KEM in production
pip 26.1 — Lockfiles and Dependency Cooldowns — Python catches up
One Map Key, One Lookup — tiny perf habit, every language
A faster runtime under you, a wobbly platform between you and your users, and a 9-year-old kernel bug under everything. The most useful thing you can do this week is patch the kernel, look at Temporal once, and decide whether Zed earns a slot on your dock. If you've already kicked the tyres on any of these, hit reply — I'd like to hear what's actually different on the other side.
Until next week,
Niall