#Vite plugins sometimes need to run expensive tasks. By controlling when your plugin runs these tasks, you can make both the #Dev server and production builds faster. Here's a quick solution:

What's your best tip for developing Vite plugins?

https://samuelplumppu.se/blog/detect-vite-plugin-restarts-to-avoid-rerunning-expensive-tasks

#TypeScript #JavaScript #WebDev #SvelteKit

Some thoughts on 'API Builder' style - using property access tricks to pretend you encoded all endpoints of an API.

https://caolan.uk/notes/2025-09-18_api_builder_style.cm

#JavaScript

Some thoughts on 'API Builder' style - using property access tricks to pretend you encoded all endpoints of an API.

https://caolan.uk/notes/2025-09-18_api_builder_style.cm

#JavaScript

Novo ciberataque “Shai-Hulud” propaga-se como um verme e compromete 187 pacotes npm
🔗 https://tugatech.com.pt/t71903-novo-ciberataque-shai-hulud-propaga-se-como-um-verme-e-compromete-187-pacotes-npm

#API #ataque #cascata #CD #CI #ciberataque #Github #google #javascript #linkedin #malware #npm #phishing #riscos #segurança #servidor #software 

Novo ciberataque “Shai-Hulud” propaga-se como um verme e compromete 187 pacotes npm
🔗 https://tugatech.com.pt/t71903-novo-ciberataque-shai-hulud-propaga-se-como-um-verme-e-compromete-187-pacotes-npm

#API #ataque #cascata #CD #CI #ciberataque #Github #google #javascript #linkedin #malware #npm #phishing #riscos #segurança #servidor #software 

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

#NodeJS#JavaScript

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

#NodeJS#JavaScript

Learning web development: Implementing web servers
https://2ality.com/2025/09/implementing-web-servers.html

#2ality#WebDev#JavaScript

Learning web development: Implementing web servers
https://2ality.com/2025/09/implementing-web-servers.html

#2ality#WebDev#JavaScript

Behind The Scenes of Bun Install

https://bun.com/blog/behind-the-scenes-of-bun-install

Super interesting read, not just for people into #javascript and #bun but also anyone into optimizing systems programming tasks.

cross-posting my little rant about #npm #npmattack #javascript #typescript stuff here:

Random NPM thoughts of the day:

1. The primary NPM registry should be obsoleted entirely ASAP
2. JSR does not do anywhere near as much as it should, and it's probably too late to fix.
3. A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
4. All packages MUST be ESM (JSR ok here)
5. MUST include docstrings on all publicly-reachable interfaces.
6. MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
7. MUST have a non-trivial README.
8. MUST be tied to a PUBLIC repo.
9. MUST NOT have install scripts (yeah sorry, the fight's over)
10. MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
11. MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.

Furthermore, the registry MUST provide the following, based on this:

1. Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
2. Autogenerated API docs.
3. Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
4. Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
5. Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
6. Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
7. Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.

I think that's all I got off the top of my head for now.

There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.

cross-posting my little rant about #npm #npmattack #javascript #typescript stuff here:

Random NPM thoughts of the day:

1. The primary NPM registry should be obsoleted entirely ASAP
2. JSR does not do anywhere near as much as it should, and it's probably too late to fix.
3. A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
4. All packages MUST be ESM (JSR ok here)
5. MUST include docstrings on all publicly-reachable interfaces.
6. MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
7. MUST have a non-trivial README.
8. MUST be tied to a PUBLIC repo.
9. MUST NOT have install scripts (yeah sorry, the fight's over)
10. MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
11. MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.

Furthermore, the registry MUST provide the following, based on this:

1. Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
2. Autogenerated API docs.
3. Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
4. Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
5. Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
6. Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
7. Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.

I think that's all I got off the top of my head for now.

There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.

Learning web development: Frontend frameworks
https://2ality.com/2025/09/frontend-frameworks.html

#2ality#WebDev#JavaScript

Learning web development: Frontend frameworks
https://2ality.com/2025/09/frontend-frameworks.html

#2ality#WebDev#JavaScript

Announcing Reciprocate, a Sweet Solution for Making Your HTML Web Components Reactive

Have you ever been chipping away on vanilla #WebComponents when you began to wonder “hey waitaminute…how do I make it so when I set this #JavaScript property, the equivalent #HTML attribute is updated? And if I set this attribute, the equivalent property is updated? Or when either is updated, my component will re-render?! Where are the APIs for this stuff??”

Worry no longer! 🤓 #WebDev

https://thathtml.blog/2025/09/reciprocate-reactivity-for-html-web-components/

Announcing Reciprocate, a Sweet Solution for Making Your HTML Web Components Reactive

Have you ever been chipping away on vanilla #WebComponents when you began to wonder “hey waitaminute…how do I make it so when I set this #JavaScript property, the equivalent #HTML attribute is updated? And if I set this attribute, the equivalent property is updated? Or when either is updated, my component will re-render?! Where are the APIs for this stuff??”

Worry no longer! 🤓 #WebDev

https://thathtml.blog/2025/09/reciprocate-reactivity-for-html-web-components/

Two years ago, I started browsing with #javascript turned off by default, only enabling it (and saving this decision) when needed. With the browsers I am using, it's only 2 clicks.

A lot of insights I got from this experiment:

- most websites are still usable, minus all the annoyances
- websites that refuse to display content at all w/o JS turn out to be not worth visiting. So you have kind of a quality filter.
- browsing is many times faster
- you use the internet much more focused on the content you were actually looking for. No more distractive images, links, embedded content
- enabling JS on sites that automatically redirect you if your #browser misses JS support can be tricky

Two years ago, I started browsing with #javascript turned off by default, only enabling it (and saving this decision) when needed. With the browsers I am using, it's only 2 clicks.

A lot of insights I got from this experiment:

- most websites are still usable, minus all the annoyances
- websites that refuse to display content at all w/o JS turn out to be not worth visiting. So you have kind of a quality filter.
- browsing is many times faster
- you use the internet much more focused on the content you were actually looking for. No more distractive images, links, embedded content
- enabling JS on sites that automatically redirect you if your #browser misses JS support can be tricky

It is so cool that likely one of the fastest (especially compared to better-sqlite3) sqlite bindings for Node.js out there is the one we use for Signal Desktop client.

https://github.com/signalapp/node-sqlcipher

I should find motivation to upstream my ideas to back to Node.js core (JS level parameter binding and row parsing through a compiled function), but I’m… too lazy for that. Happy to explain how it all works to anyone interested, though!

#NodeJS#JavaScript #sqlite3

• #Python is written in C
  - #Perl is written in C
  - #Ruby is written in C
  - #PHP is written in C
  - #JavaScript engines started in C, now mostly in C++
  - #Go was first in C, now written in Go itself
  - #C++ compilers are written in C++
  - #Swift is built with C++ and Swift (on LLVM in C++)
  - #C# runs on .NET, built in C++/C#
  - #JVM (HotSpot) is written in C++

  Yet, people still doubt the necessity of learning C!