Scientific American published a study this week showing that developers using AI coding tools are working longer hours, not shorter. More code shipped, more features completed, more PRs merged — but total hours worked went up.
It's the productivity paradox I keep seeing play out. AI doesn't reduce the work — it raises the expectations. When you can generate code faster, the goalpost moves. Sprints get more ambitious. Backlogs grow instead of shrinking. And the maintenance burden of all that AI-generated code? That's a bill nobody's accounting for yet.
Meanwhile, a prompt injection attack compromised Cline's production npm packages this week because an AI bot in their CI pipeline processed a malicious GitHub issue title. 4,000 developers installed the compromised package before it was caught. We're giving AI agents write access to production credentials — and acting surprised when it goes wrong.
The pattern is clear: AI is making individual tasks faster while making the overall system more complex and fragile. More code, more risk, more hours. That's not productivity — that's acceleration without steering.
Here's everything else worth your time this week.
The Future of AI in Marketing. Your Shortcut to Smarter, Faster Marketing.
This guide distills 10 AI strategies from industry leaders that are transforming marketing.
Learn how HubSpot's engineering team achieved 15-20% productivity gains with AI
Learn how AI-driven emails achieved 94% higher conversion rates
Discover 7 ways to enhance your marketing strategy with AI.
The Big 3
The last major release before the Go-based TypeScript 7.0. Strict mode is now enabled by default. ES5, AMD, UMD, and SystemJS are deprecated. --moduleResolution node is deprecated in favor of nodenext or bundler. The types field now defaults to an empty array — projects that relied on ambient @types packages need explicit config. On the upside, teams are seeing 20–50% build time improvements from the cleaner defaults. If you maintain a TypeScript project, start testing against 6.0 now.
A Scientific American study finds that AI coding tools increase output but also increase total hours worked. The efficiency gains get absorbed by higher expectations — more ambitious sprints, larger backlogs, faster feature demands. The result is more code shipped per developer, but no reduction in working time. A useful data point for anyone making organizational decisions based on "AI will let us do more with fewer people."
A security researcher discovered that Cline's AI-powered issue triage bot could be manipulated via prompt injection in a GitHub issue title. The attack chain escalated from issue triage to cache poisoning to stealing npm publishing credentials. An unknown actor exploited the same flaw to publish a compromised [email protected] to npm, affecting ~4,000 developers before it was pulled. A stark warning about giving AI agents access to CI/CD pipelines.
Articles & Tutorials
The Value of z-index (10 min)
A thorough look at how we choose z-index values, why stacking contexts matter more than the numbers, and practical strategies for managing layering in complex projects.
Security Architecture of GitHub Agentic Workflows (8 min)
GitHub explains how they built isolation, constrained outputs, and comprehensive logging into their agentic workflow system.
Safari Silently Deleted Users' Saved Data After 7 Days (5 min)
Safari's ITP enforcement deletes script-writable storage after 7 days of inactivity — with no warning. If your app relies on IndexedDB or localStorage for offline data, this matters.
Can Coding Agents Relicense Open Source? The chardet Controversy (10 min)
The Python chardet library used Claude Code to rewrite LGPL code and relicensed as MIT. If AI rewriting counts as "clean room," copyleft may be unenforceable.
Pushing and Pulling: Three Reactivity Algorithms (12 min)
Deep-dive comparing push-based, pull-based, and hybrid reactivity — the approaches behind Angular Signals, Solid, Vue, and the TC39 Signals proposal.
Offloading FFmpeg with Cloudflare (3 min)
Kent C. Dodds explains how he moved podcast processing from Fly.io to Cloudflare Workers — a practical example of offloading compute-heavy tasks to the edge.
Building a Video Rendering Engine by Lying to the Browser About Time (10 min)
Replit built a deterministic video renderer by virtualizing browser time with a ~1,200-line JS shim that replaces setTimeout, requestAnimationFrame, and Date.
Career & Takes
"Open Sores" — How Open Collaboration Is Being Punished (8 min)
An essay on how programmers built a culture of open collaboration — and how AI companies and license arbitrage are eroding it. 1,000+ upvotes on Reddit.
The Junior Developer Isn't Extinct — They're Stuck Below the API (5 min)
The problem isn't that junior roles disappeared — it's that the entry point shifted from writing code to understanding abstractions nobody's teaching.
The Next Two Years of Software Engineering (15 min)
Addy Osmani cites a Harvard study showing junior dev employment drops 9–10% within six quarters of AI adoption, while senior roles remain unchanged.
Tools & Releases
Oxfmt Beta: 30x Faster Than Prettier, 100% Conformance (8 min)
Passes 100% of Prettier's JS/TS conformance tests while running 30x faster. Handles CSS, JSON, YAML, HTML, Markdown, and more. Built-in Tailwind sorting. One-line migration.
Rust 1.94.0 (5 min)
Latest stable Rust release with type system improvements, standard library additions, and tooling updates.
GPT-5.4: 1M Token Context, Native Computer Use (6 min)
OpenAI's latest model features a 1M token context window, native computer-use capabilities, and 33% fewer factual errors than GPT-5.2.
Google Workspace CLI — Rust-Built, 10k Stars in a Week (5 min)
Google open-sourced a Rust-built CLI for Drive, Gmail, Calendar, Sheets, and Docs. Includes 40+ agent skills. Apache 2.0 licensed.
shadcn/cli v4 with Skills and Presets (3 min)
Skills, presets, dry-run mode, and expanded component support. The de facto standard for React component libraries keeps shipping.
Watch
The Greatest Unsolved Problem in Computer Science (10 min)
Fireship tackles P vs NP — why it matters, why it's still unsolved, and what it would mean if someone cracked it.
Stop Putting Secrets in .env (30 min)
Syntax covers Varlock, a new approach to environment variable management that moves beyond .env files.
T3 Code: Open Source AI Dev Tool (15 min)
Theo announces T3 Code, a fully open-source AI development tool built from a love of the developer experience problem space.
Other Links
Cursor Cloud Agents: $50B Valuation (30 min) — acquires Graphite + Autotab, launches background agents
Agent Safehouse: macOS Sandboxing for AI Agents (5 min) — native sandboxing for local agents (HN 798 points)
Airtable Rewrites Its Database in Rust (8 min) — major engineering undertaking
Base UI 1.0: 35 Accessible React Components (5 min) — from the creators of Radix and Material UI
Firefox 148 Ships Sanitizer API (3 min) — built-in XSS protection for untrusted HTML
What's New in Svelte: March 2026 (8 min) — server-side error boundaries, Vite 8 support
Simon Willison: "Perhaps Not Boring Technology After All" (5 min) — AI agents work fine with niche tools too
Cloud VM Benchmarks 2026 (6 min) — price/performance comparison across providers
RFC 406i: Rejection of Artificially Generated Slop (3 min) — satirical spec for maintainers rejecting AI PRs
Codex for Open Source (5 min) — both Anthropic and OpenAI now offer free tiers for OSS maintainers
The AI productivity debate is going to get louder before it gets quieter. If that Scientific American study or the Clinejection attack has you rethinking how your team uses AI tooling, I'd love to hear it. Hit reply — these are the conversations I learn the most from.
Until next week,
Niall