what are we even doing?

We've published two Windows-related security advisories: ◇ If Vite runs with `--host`, denied files may have been reachable over the network. ◇ launch-editor with NTLM enabled may leak NTLMv2 hashes via a malicious page. Update to Vite 8.0.16/7.3.5/6.4.3, Vite+ 0.1.24, and launch-editor 2.14.1.

We've published a Browser Mode security advisory. CDP-capable providers like Playwright Chromium with the browser API exposed to the network allowed attackers to run code on the host. Update vitest/browser to 5.0.0-beta.4, 4.1.8, or 3.2.6. Vite+ users: Upgrade to 0.1.24 github.com/vitest-dev/v...

／ 📢 Vue Fes Japan 2026 CFP is now open‼️ ＼ The Call for Proposals for Vue Fes Japan 2026 is now open. Submit here 👇 docs.google.com/forms/d/e/1F... Full details in this article ✨ note.com/tutti2612/n/... We can't wait to see your proposals! #vuefes

Building this integration has been amazing opportunity to dogfood all APIs we've added into @vitest.dev in past years. It's using features like new Reporter APIs, Vitest plugin hooks, browser commands, CDP, test tags and much more! Vitest is definitely one of the most extensible JS tools out there.

happy pride month 🎉

Rumor has it... if SvelteKit reaches #2... we'll rewrite npmx in it 👀

“Opened 296 other pull requests in 27 repositories”

i made a new game called js crossword where you have to solve it by literally writing javascript code that eval()'s into the correct values! check it out if you're into ctfs or wanna challenge your javascript skills lyra.horse/fun/jscrossw... <3

If you're feeling burned out because your motivation is fading due to today's tech news or your job, join communities like @npmx.dev, @e18e.dev, and other OSS projects to get your drive back. Stay away from AI agents and interact with real people. It's one of the best things that happened to me.

Dear Peter Magyar, it has only been a few weeks. But we can feel a strong wind of change across Hungary. Fight corruption. To kickstart economic recovery. And restore the rule of law. Today we share the progress made ↓ link.europa.eu/9PH3Dh

We’re launching early access for Vitest visual testing with Chromatic! ⚡️ Built with @vitest.dev core maintainer ariperkkio.dev, Chromatic adds visual testing to the browser tests you already write. 🧵 (1/4)

console.log("happy birthday, @nodejs.org!")

This is the most incredible triumph of propaganda in my lifetime. The idea that Hitler was "left" and/or a "socialist" once was correctly seen as self-evidently insane. But here we have the richest & most powerful man on earth blithely repeating it.

Check this out

More musings after some people got upset about the word clanker. lucumr.pocoo.org/2026/5/26/cl...

In @npmx.dev you can now view a package's changelogs currently only package's that use Github to host their releases or changelog.md are supported but support for others are planned

the @e18e.dev npm publishing guide has been updated to recommend the new `npm stage` feature! this guide and the templates it offers are a good way to get setup quickly in a secure way

We’ve been working on a new site for Changesets with a lot of new docs! If changesets has been confusing before, hopefully some of these will help, or let us know what else could be improved. Check it out 👉 changesets.dev

This might be what vexes me most of the unforced GitHub Actions minefield. Commenting on PRs is PUBLIC. Any registered account can do it without permissions!! And yet if you want an automation to comment, you’re encouraged to run it as a privileged, dangerous pull_request_target job.

🙋‍♂️ do I know any oss friends who are facing unwelcome LLM-generated PRs or comments? .... want to fight back?

`import defer` is the new ES2025 syntax for lazy module loading. Deno is the first runtime to ship it and with TypeScript support. Big win for CLI startup and conditionally-loaded code.

Woooo yeaaah! The missing piece 🎉 everything is about to get a lot more secure

Oh, we know

OSS burnout claims another project. On 2 Apr, an entitled user angrily asked the burned-out maintainer of nvim-treesitter to “go switch to something that doesn't require interacting with people”. The maintainer replied “OK” — and archived the repo, stopping development of nvim-treesitter.

Module mocking in test runners is the devil. Prevents so many performance opportunities.

What do you think of a dev tool that helps you inspect components in your live app and then save that snapshot as a story in Storybook? 🤔 Backed by the incredible Vite devtools of course @antfu.me <3

I can't believe I asked @rich-harris.dev for an opinion

it's just possible I may have been killed. 💀

GitHub is not having a good time recently 😬 I hope the teams over there can figure this stuff out

Winter is coming.

GitHub actions publishers, please use immutable releases!

A well-written bug report is worth so much more than a drive-by PR with a "solution". Showing us maintainers how to reproduce it is often the real work and improves debugging your skills!

🚨 We are publishing Vitest 4.1.6 and Vitest 5.0.0-beta.3 to resolve recent vulnerabilities: - `--api` and `--ui` exposed arbitrary files to the network - `--api` allowed arbitrary execution - `?otelCarrier` XSS Check github.com/vitest-dev/v... for more information

Proof that @danielroe.dev will definitely pass if it doesn't use svelte

Chrome shipped an LLM Prompt API to the web platform. At Mozilla, we oppose this API. Here's why:

Speeding up the JS ecosystem OXC edition 🚀 We made both oxfmt and oxlint 50% faster on projects with >50k directories. marvinh.dev/blog/speedin...

many such cases

Couldn't keep up with all the news? We got some selected highlight from last month to recap! 🌀 → Vite Plus lazyPlugins API → @vitest.dev 5 sneak peak → Oxlint: RFC for linting Svelte/Vue/Angular templates → Module Federation in @vite.dev via plugin → @npmx.dev vp option youtu.be/zwY4UZr-qjc

> *open Twitter* > Bun’s controversial rewrite, Next.js/Tanstack CVEs, ragebait for money, new terrible AI photo processing… > *close Twitter* > *open Bluesky* > just patak literally cooking What a peaceful world, how do you survive in the warzone that’s the other app

I'll go against the discourse. 280 contributors to repo.npmx.dev in 100 days. We only used bluesky for social comms. We asked while welcoming folks, and most of them got involved after reading our bsky posts. Thanks for building and running bluesky. This network is a great place to do open source 💙

Wild to see that @npmx.dev was the fastest-growing emerging open source organization by number of contributors in Q1 2026 according to osscar.dev. What is even more interesting: it was the only non-AI tool in the top 10.

We made a fake repo with fake bounties, and the bots are applying fake PRs, so we know who is fake, and we can ban them from the Coolify repo. IQ over 1000

Have you ever written the words "Hello, World"? Did you ever wonder who typed it first? And why? Brian Kernighan, co-author of the book that defined the C language, has the answer. Find out in this outtake from our upcoming C++ documentary. youtu.be/vLer3fRwwxE

New feature on @npmx.dev 🎉 The timeline tab now comes with a chart, so it is easier to see the evolution of the package size and its dependencies. The positive and warning events queried from @e18e.dev are great to check the package health ❤️

Mythos' underwhelming results for curl are a great example of why Open Source is even more important now that we have access to these tools. curl is more secure because everyone can tinker with it. We should be doubling down on Open Source rather than closing projects in panic.

This 100%. My approachability and willingness to help have gone down across the board. It's not joyous anymore.