the alpha release for waku v1 is out! 🎉 ⛩️ waku.gg/blog/waku-v1...

Many of you will have started your christmas breaks, but trust me, this 30mins is worth it. @sachajudd.com's closing from #FFConf is now live. It's not your usual nostalgia/look at what it was, but real meaty inspiration as to what we can do now. Treat yourself! www.youtube.com/watch?v=29-s...

More than 3GB added to English Wikipedia alone this year. Nearly 250k editors worldwide. The collaboration network Wikipedia fostered is such an incredible gift to the world.

I think the next wave out of Twitter won't happen because of a generalized outrage event. This time it will slowly build up with each person that completely stops using it.

Great they slow cooked masonry for so long, this looks so good. And defaulting item-tolerance to 1em is a very nice touch. .container { display: grid-lanes; grid-template-columns: repeat(auto-fill, minmax(250px, 1fr)); gap: 16px; }

we released the new @e18e.dev ESLint plugin today! 🎉 this comes with 3 categories of rules: modernisation, performance, replacements it also works with oxlint and most of the rules have auto-fixes 🛠️ try it out and let us know any feedback/rule suggestions in discord/bsky/github!

Threads' fediverse play is in maintenance mode. And Meta is testing a limit of 2 links per month in posts for some Facebook users, unless they pay a subscription. Eventually, the open web will prevail. Let's hope we don't need to live through a hundred more walled gardens to get there.

HTML hidden=until-found and auto-opening <details> is newly baseline… or is it? Here's how it works, and issues to watch out for:

This talk crossed 200k views for a good reason. Highly recommended. Not only for desktop and not only for designers.

npm's broken UI bugged me enough I wrote a userscript to fix them, and added some features too. Repo: github.com/bluwy/npm-us... Here's a before-and-after comparison:

Rather than reinventing countless wheels, Netlify and Cloudflare are now collaborating on framework detection and auto-configuration! Cloudflare engineers have been contributing to the open-source www.npmjs.com/package/@net..., which wrangler now leverages just like Netlify. 🤝

Big improvement to frameworks on Cloudflare! You can now deploy most frameworks from the CLI with zero config. No adding adapters. No editing configs. No wrangler.toml! It's all done automatically. Experimental now, with 10 frameworks supported today. developers.cloudflare.com/changelog/20...

RSC Explorer is now open source! tangled.org/danabra.mov/...

📦 Block Exotic Sub-dependencies Want to secure your dependency tree? Enable blockExoticSubdeps: true. This prevents transitive dependencies (deps of deps) from resolving "exotic" protocols like git+ssh: or direct https: tarballs. Keep the weird stuff out of your deep dependency graph. 🕵️‍♂️

Announcing eurosky.social accounts - launching January 2026. ✅ Managed by Eurosky, a European non-profit initiative ✅ Hosted on European cloud ✅ Governed by European law www.eurosky.social/register

hi here's a Statusphere demo written using atcute, Tap, and SvelteKit tangled.org/mary.my.id/atc…

Build your own ATProto Adventure! An atproto SvelteKit template. I needed a confidential oauth client, so I thought to abstract the start of the project to a template for anyone to use! I am hoping this will be one of the easiest ways for devs to start an atproto project w/ oauth demo.atpoke.xyz

To recap, NPM allows 2FA TOTP token reuse within the token’s validity window. I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.” So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/

Please update (again) immediately.

Good read. @ntnsndr.in interviews @bnewbold.net about the history of Bluesky from his perspective as a protocol engineer. A great deal of pragmatism and such a unique set of circumstances allowed the network to succeed as it did. protocol.ecologies.info/interviews/n...

Just published a polyfill for <input type="checkbox" switch>: github.com/tomayac/inpu.... Here's a quick demo: tomayac.github.io/input-switch.... A little proud of how this conditionally only loads when it's needed. Compare Chrome (above, needs the polyfill) and Safari (below, doesn't need it).

The browser-compat-data project (used by MDN, caniuse, and tools) now has: 20,000 commits 1,123 contributors 465 releases 19,148 data entries That's what comprehensive web compat data looks like. And it takes well funded teams at @openwebdocs.org and @mozilla.org plus amazing contributors.

Super exciting: Rust is no longer experimental in the Linux Kernel, it is here to stay!!! lwn.net/Articles/104...

Announcing Oxlint Type-Aware Linting Alpha 🚀 ⚡ Fast via tsgo (TypeScript 7) 🔍 Type-checking while linting ⚙️ Rule configuration 🛑 Highly demanded no-deprecated rule oxc.rs/blog/2025-1...

🎉 And we're live! 🎉 We just launched CSS Wrapped 2025: our annual recap of all things CSS & web UI that landed in Chrome over the course of the year. 🚀 This is a big one! We highlighted 22 new features to help you build better on the web. Check out: chrome.dev/css-wrapped-2025

From the thread: "Attacks from bot compromised Next.js assets spiked on 2025-12-05 from the usual 100 IP baseline to close to a 1000." If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP. And if you're 100% sure... patch anyway.

A new milestone! @vitest.dev hit 20 million mark 🎉 Took us 4 years since the first closed 0.0.0 release on December 3d, 2021 😄

this is nuts, non-dismissible full page message, social meta title swapped to CVE-2025-55182

The original React2shell PoC is now public. This is as bad as it gets – full RCE. You must upgrade now. There are mitigations in place in CDNs including Cloudflare, Netlify, Vercel and AWS (and sites on Workers aren't vulnerable to this sort of attack), but there are variants in the wild now.

The changed code is a small fraction of an open source contribution. Your commitment to understand the issue, how your proposed solution fits with the project, and be ready to own and push the review process forward is the biggest chunk of the work. Your effort is the contribution, not the code.

Hello friends and welcome to a new “How is ESM vs CJS going!” 33.4% of the popular packages on npm now includes ESM. Up from 29.6% half a year ago. We have a third! ESM-only is up from 11.5% to 12.6%. This is also the impact of half a year of Node 18 being EOL, making `require(esm)` available

There Are So Many Things You Might Not Need A Library For Anymore These Days

It's merged! The next alpha/beta release @astro.build will support @vite.dev Environment APIs! It took a long time because we had to re-architect the whole rendering pipeline. With this, even the @cloudflare.social Vite Plugin will work out of the box!

> We're closing these issues logged on a codebase that is not being maintained. Please re-log them, if applicable, against the new codebase, which is a rewrite < How dare you?? You should manually check them all > That'd take hundreds of hours < Why not crowdsource it instead then > I just did?

rated CVSS 10.0, upgrade now if there isn't a mitigation in place by your server provider > An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.

⚡️ The first Vite 8.0 beta is here! - Powered by Rolldown, bringing significantly faster production builds and more consistency - New features such as tsconfig paths or emitDecoratorMetadata support - Bumping browser targets aligned with Baseline Widely Available Read more in our announcement post!

Great post, interesting heuristics for "eagerness: moderate" on mobile: - Anchor links within 30% vertical distance from the previous pointer down. - Anchor links at least 0.5× as big as the largest anchor in the viewport. - The browser waits 500 milliseconds after the user stopped scrolling.

First blog post in 6 years, now powered by @astro.build. “Late to my own party” is very on brand 🙈 Here's a quick rundown of what I've been up to

Strongly recommend searching for "bun" here on Bluesky and looking at the popular results to read all the comments about Anthropic buying the Bun js runtime

a javascript runtime @bun.sh has been acquired by the claude ai guys

I'm sure many of you have already been trying out the native preview, but if you haven't, now is the best time to start!

Introducing VoxCSS: a DOM based voxel engine github.com/LayoutitStud...

If you're tired of supporting tsconfigs too, I've wrote something. github.com/bluwy/tsconf...

We have Custom Elements, but do we also need Custom Attributes? This was discussed at TPAC. Is it something you'd like on the platform? https://github.com/WICG/webcomponents/issues/1029

Announcing Oxfmt: Oxc Formatter Alpha oxc.rs/blog/2025-1...

TIL Wikipedia moved to shared desktop/mobile website URL pattern, no more m-dot URLs. If you're curious about the behind-the-scenes work (site migrations! everybody's favorite, right?!): www.mediawiki.org/wiki/Request... www.mediawiki.org/wiki/Request... techblog.wikimedia.org/2025/11/21/u...

This is one of my favorite traditions that we do on Electron; it’s a great time to both recharge and get caught up on internal maintenance and projects that we might not normally have the time to look into

Mozilla, Microsoft, Google, Intel, Apple all came together to celebrate this great milestone: WebGPU is now supported in major browsers! Check out our post.

we've started tracking the ongoing and upcoming projects better on the e18e site hopefully this gives a better idea of the things we're building!

🤯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated: socket.dev/blog/shai-hu...