The JavaScript ecosystem never slows down.
Over the past two weeks we’ve seen major updates across runtimes, frameworks, tooling, and security.
In this issue of Friday Links, we highlight the most interesting developments across the JavaScript world — from infrastructure changes and new tools to security research and ecosystem trends.
🧠 Ecosystem Highlights
TypeScript 6 Prepares the Path to TS7
The TypeScript team released an early preview of TypeScript 6.
This release is mainly about internal changes preparing for the future Go-based compiler planned for TypeScript 7.
Key goals:
- faster compilation
- reduced memory usage
- better incremental builds
- improved large project performance
Large monorepos could see dramatic speed improvements once the Go compiler lands.
Deno 2.7 Improves Node Compatibility
The latest Deno runtime release continues improving Node compatibility.
Highlights:
- improved npm integration
- Node API compatibility
- Temporal API stabilization
Example:
const now = Temporal.Now.instant()
console.log(now.toString())📜 Articles & Tutorials
Under the hood: Security architecture of GitHub Agentic Workflows
Beating JavaScript Performance Limits With Rust and N-API: Building a Faster Image Diff Tool
The Different Ways to Select <html> in CSS
The Big Gotcha of Anchor Positioning
How to steal npm publish tokens by opening GitHub issues
How to Decode a VIN in JavaScript
Making a Flappy Bird clone using pure HTML and CSS, no JavaScript
How to build a pnpm monorepo, the right way
React is changing the game for streaming apps with the Activity component
Using CSS animations as state machines to remember focus and hover states with CSS only
5 React Hooks Techniques to Improve Component Performance
⚒️ Tools
Repomix — Turn Any Repo Into a Single AI-Readable File
Repomix packs an entire repository into a single AI-friendly document.
Cursor Cloud Telegram Connector
npmx is an experimental tool designed to improve npm package exploration.
Wely — Lightweight Web Component Framework
Ink allows developers to build CLI tools using React components.
📚 Libs
Node File Trace - determines exactly which files a Node application needs to run.
JavaScript Minification Benchmarks: SWC Still Leads
RevoGrid - High-Performance Data Grid Component
VMPrint - A pure-JS, tiny typesetting engine with bit-perfect PDF output on everything—from Cloudflare Workers to the browser.
markdown-to-jsx - A very fast and versatile markdown toolchain. Output to AST, React, React Native, SolidJS, Vue, HTML, and more!
clipboardy - Access the system clipboard (copy/paste)
⌚ Releases
Solid v2.0.0 Beta: The <Suspense> Era Comes to an End
After a long experimental phase, Solid 2.0 has released its first beta, introducing native asynchronous reactivity as a core feature of the framework.
In this new model, reactive computations can directly return Promises or async iterables, and Solid’s reactive graph will automatically suspend and resume around those async operations. This removes much of the complexity developers previously had to manage when dealing with asynchronous state.
One notable change is that <Suspense> has been retired. For initial renders, it is now replaced by a simpler component called <Loading>.
React Native 0.85 RC.0, pnpm 10.32, Jest 30.3, Recharts 3.8, OpenPlayer.js 3.0.2, Prisma 7.5, SQLite JS 1.3, React Helmet Async 3.0, Preact 10.29.0
📺 Videos
Build Your Own Video Sharing App – Loom Clone with Next.js and Mux JavaScript Tutorial
You Can Just Ship Agents: Architecting for the Agentic Era | Dom Sipowicz, Vercel
Build Your Own Video Sharing App – Loom Clone with Next.js and Mux JavaScript Tutorial
Cloudflare just slop forked Next.js…
7 new open source AI tools you need right now…
NEW Tanstack Hotkeys Library is Amazing
🎤 Talks & Podcasts
Why are we building CodePen v2? — CodePen Radio 419
🗞️ News & Updates
The web industry is gradually shortening the maximum lifespan of TLS certificates.
Starting March 15, 2026, the limit will drop from 398 days to 200 days. The timeline continues with further reductions: 100 days in 2027, and by 2029 the maximum validity period will shrink to just 47 days.
Because of these changes, Heroku recommends enabling automatic certificate renewal to avoid unexpected expirations and potential service disruptions.
🔐 Security
Supply-Chain Attacks Target Developers
Researchers recently discovered malicious GitHub repositories disguised as job assignments.
When opened in VS Code they may execute scripts automatically.
Developers should always review:
.vscode/tasks.json
.vscode/settings.json
package.jsonvm2 Sandbox Escape Vulnerability
A critical vulnerability was discovered in vm2, a sandbox library used for executing untrusted JavaScript.
This vulnerability allows escaping the sandbox and executing arbitrary code.
Researchers at Brave discovered that web agents often leak user information — even when explicitly instructed not to.
In a study involving 1,080 runs on Amazon and eBay, agents powered by GPT-4o, O3, and O4-mini repeatedly exposed data to third-party services that had nothing to do with the task they were performing.
Examples included:
- inserting conversation history into search fields
- revealing personal details through interaction patterns
- unintentionally sending contextual data to external services
The findings highlight a growing concern: AI web agents may unintentionally expose sensitive user information through their behavior, even when privacy safeguards are in place.
The Anthropic team recently analyzed the Firefox codebase using Claude and uncovered 14 critical vulnerabilities that had gone unnoticed for years.
In total, the investigation led to the discovery of 22 security issues, all of which were assigned CVE identifiers and addressed in Firefox 148.
Some of these vulnerabilities had reportedly been present in the codebase for over a decade, highlighting how AI-assisted analysis can help uncover deeply hidden security flaws in large, mature software projects.
How we got hit by Shai-Hulud: A complete post-mortem
The JavaScript ecosystem is entering an interesting phase.
Tooling is increasingly written in Rust and Go, runtimes are competing to deliver faster developer workflows, and AI is beginning to influence everything from code editors to vulnerability research.
At the same time, security and supply-chain awareness are becoming central concerns for modern development.
Whether you’re working with Node, Deno, Bun, or the browser, keeping up with these shifts helps you understand where the ecosystem is heading next.
See you in the next issue of Friday Links, where we track the most interesting developments across the JavaScript universe.