Budapeşte
316 posts
Oxlint v1.64.0 & Oxfmt v0.49.0 are out! 🚀 → oxfmt experimental svelte support → ruleCustomizations linter LSP option → improved disable directive handling → 15 bug fixes → performance optimizations in oxfmt CLI take a look below ⬇️
SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.
One of the biggest Android updates ever is coming.
I think Bun's current approach is just asking a clanker for a things they could implement on a random Friday and then telling it to implement it for the hell of it. Give me one good reason for my runtime to be able to procecess images in multiple formats. ONE.
Animated favicon for a client
The single greatest sign a C# dev wrote your TypeScript: interface IUser {
Honestly, this is the most accurate diagram I've seen. Waterfall: You plan for 18 months and deliver exactly what nobody needs anymore. Agile: You deliver something usable at every step, but the CEO keeps asking, "Where's the car?" AI: You get the car on day one. It has six wheels, the doors are on backwards, and it has a rocket launcher. You spend more time making it yours than actually "building"; it's shaping. owning. verifying. That's what the best AI developers do now. They don't build. They shape and own.
ummm you can create some obnoxiously cool focus rings with the new HTML-in-Canvas API
Version 1 of Lucide is out 🚀. Check out lucide.dev
In case you didn’t know, React didn’t invent RSC, SSR, or Hydration, conceptually: SSR is Express: app.get('/', (req, res) => { res.render('index', { name: 'John' }) }) RSC is Pug: if name == "Bob" button(class="btn") Hello Bob else button(class="btn") My name is #{name} Hydration is jQuery: $('.btn').click(...) That’s why there’s no window in SSR, and you can’t set onClick in RSC, and you have hydration errors in jQuery too (such as a typo of .btn) but with a less fancy name.
Why Python Feels Like a Power Tool
Do backend devs really find joy in doing this ?
this is why you need a windows person