Dr. Axel's blog is gone (for now)

#786 — May 19, 2026

JavaScript Weekly

RFC: It’s Time for npm to Make Install Scripts Opt-In — npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default, and they’ve become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm). This RFC features further discussion of the idea and the tradeoffs involved.

Jamie Magee

💡 npq is a tool that makes npm installs safer. It stands in front of npm and audits packages before installing them, including the presence of pre/post install scripts.

How Depot Built a CI Orchestrator on AWS Lambda — Long-running CI orchestration without long-lived servers. Depot rebuilt their CI engine using AWS Lambda durable functions — stateful, callback-driven, and crash-recoverable. A deep dive into the run-workflow-job hierarchy powering Depot CI.

Depot sponsor

Mini Shai-Hulud Hits: 300+ Malicious npm Packages Published — The "Shai-Hulud" class of npm ecosystem attacks continues to rumble on. Today, hundreds more packages – including popular ones from the antv family and timeago.js – were hit.

SafeDep Team

IN BRIEF:

😱 Dr. Axel Rauschmayer (JavaScript legend and former JS Weekly editor) has taken his blog and JavaScript books off the Web due to being overwhelmed by AI crawlers. You can, however, still purchase his fantastic books here.
The Bun saga continues. Despite once playing down its significance, the Rust-based rewrite of Bun has been merged, though there are questions over the quality of the AI-ported code. Much discussion ensued on Hacker News.
The Deno team is teasing Deno 2.8, due to be released this week. Significant Node.js compatibility improvements, import defer, and TypeScript 6.0.3 support await.
The Chrome and Edge teams are working on a new <install> HTML element for browsers to render a 'trusted install button' for PWAs.
The Express.js project has an all new look, including a new site, logo, and improved docs.

RELEASES:

Angular 22 Release Candidate – Final is due in early June. Expect signal-based forms and the OnPush change detection strategy becoming default.
Bun 1.3.14 – The alternative JS runtime gets Bun.Image, more HTTP/2 and HTTP/3 support, and more Node compatibility improvements.
ESLint Config Inspector 3.0 – A visual tool for inspecting and understanding your ESLint flat configs.
TypeORM 1.0, ESLint 10.4.0, Relay 21.0, Rolldown 1.0.1

📖 Articles and Videos

🤖 Mark Erikson's Agent Setup, Workflow, and Tools — Mark, well known for maintaining Redux and creating Redux Toolkit, goes deep into his daily development workflow, including his use of OpenCode (an open source JavaScript-powered coding agent), how he manages his knowledge base, tasks, and more.

Mark Erikson

Clerk API Keys Are Now Generally Available — Let your users create credentials that delegate access to your API. Verify server-side, revoke instantly — all via the Backend SDK.

Clerk sponsor

📗 NodeBook: An Advanced Guide to Node.js Internals — Eight in-depth chapters for understanding Node.js internals, covering topics like event loop internals, what V8 does, streams, module resolution, and async/await.

Ishtmeet Singh

Soon We Can Finally Banish JavaScript to the ShadowRealm — A tour of the in-progress TC39 proposal for running JavaScript in an isolated ‘pseudo-realm’ with its own globals and intrinsics. Handy for third-party code or anything you want to keep away from global scope.

Mat Marquis

📄 Hardening TanStack After the npm Compromise – What TanStack is doing to improve supply chain security after an attacker published malicious versions of TanStack packages last week. The TanStack Team

📺 The TanStack Start Story: Tanner Linsley on Competing with Next.js – A candid 40-minute interview with TanStack’s founder. Nuno Maduro

📄 Cross-Document View Transitions: The Gotchas Nobody Mentions Durgesh Rajubhai Pawar (CSS Tricks)

🛠 Code & Tools

Orval: Generate Type-Safe Clients from OpenAPI/Swagger Specs — Given a valid OpenAPI v3 or Swagger v2 spec, generate models, requests, hooks, and mocks for React, Vue, Svelte, Solid, and Hono apps, or even plain fetch.

Victor Bury

Brownies: Browser Storage as a Plain Object, With Change Events — One tiny API over cookies, localStorage, sessionStorage and IndexedDB. Typed values survive automatically, and you get subscribe() for change events.

Francisco Presencia

Querying a Billion Rows Shouldn't Freeze Your API — TimescaleDB extends Postgres so analytics queries stay fast at scale. No pipeline, no drift. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

🖼️ Pica 10.0: High Quality Image Resizing in the Browser — High quality in-browser image resizing that leans on WASM and Web Workers or falls back to pure JS as necessary. v10 is a modernization build (the first since 2021) that adds ESM and split builds and migrates to TypeScript. GitHub repo.

Vitaly Puzrin

🗓️ SVAR Calendar: A Calendar Component for React, Svelte and Vue — A flexible calendar component with a MIT-licensed core and extended commercial version. Here’s a live demo of the open source version.

XB Software Sp.

💡 Schedule-X is another great option in this space and v4.6 just landed.

Fate 1.0: A Modern Data Framework for React — A new data framework from former Jest lead and ex-Meta engineer Christoph Nakazawa.

Christoph Nakazawa

Alien Signals: 'The Lightest Signal Library' — Boils the best of Vue, Preact and Svelte’s approaches down into the lightest signal library going. A push-pull reactivity core so well-tuned it got merged back into Vue.

Johnson Chu

Critical 8.0 – Addy Osmani's library for extracting and inlining above-the-fold CSS into HTML.
SQL Formatter 15.8 – Pretty-printer for SQL queries. (Demo)
Shiki 4.1 – Popular, powerful syntax highlighter.
Redux Toolkit 2.12.0 and React Redux 9.3
Vue.js Language Tools 3.3

📰 Classifieds

HyperFormula: The headless spreadsheet engine with 400+ Excel-compatible formulas. Run complex calculations at high speed.

Flaky tests slowing down dev? Meticulous gives engineers confidence to ship faster by autonomously testing every edge case of your web app.

⚙️ Middleware, but for AI agents. Compose Claude Code, Codex & Gemini as one TypeScript harness — 100+ agent recipes. agentfield.ai/github.

📢 Elsewhere in the ecosystem

Andrea Giammarchi proposes JSONRegistry (above), an alternative to JSON that lets you define a registry for serializing and reviving custom/branded types.
🐝 Wasp is a Rails-like framework for Node, React and Prisma. It started life as a new programming language of its own before moving to JavaScript. Founder Matija Sosic tells the story in 5 Years and $5M Later: Inventing a New Programming Language for Web Development Was a Mistake.
Did you know that some browsers render certain sites 'differently' on an ad hoc basis? Firefox and Safari ship with built-in 'tweaks' for popular sites to fix elements that don't render correctly by default.
🤖 Simon Willison shares a quick look at the last six months in LLMs.