Email Content

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="preload" as="image" href="https://bytes.dev/images/bytes-banner-rounded.png">
<link rel="preload" as="image" href="https://bytes.dev/images/content/eyes.png">
<link rel="preload" as="image" href="https://bytes.dev/images/content/katya-help.jpg">
<link rel="preload" as="image" href="https://bytes.dev/images/fb-share-icon.png">
<link rel="preload" as="image" href="https://bytes.dev/images/li-share-icon.png">
<link rel="preload" as="image" href="https://bytes.dev/images/tw-share-icon.png">
<link rel="preload" as="image" href="https://bytes.dev/images/em-share-icon.png">
<link rel="preload" as="image" href="https://bytes.dev/images/content/qa-wolf-logo.png">
<link rel="preload" as="image" href="https://bytes.dev/images/content/monkey-computer.jpg">
<link rel="preload" as="image" href="https://bytes.dev/images/content/pop-quiz.png">
<link rel="preload" as="image" href="https://bytes.dev/images/content/cool-bits.png">
<link rel="preload" as="image" href="https://bytes.dev/images/bytes-icon.png">
<title>Bytes: TanStack Attack</title>
<meta name="color-scheme" content="light dark">
<meta name="supported-color-schemes" content="light dark">
<link href="https://fonts.googleapis.com/css2?family=Fira+Mono&family=Outfit:wght@400;500;700;900&family=Paytone+One" rel="stylesheet">
<style>@media (prefers-color-scheme: dark) {
  .email-wrapper {
    color: #F9F4DA !important;
    background-color: #0F0D0E !important;
  }
  hr {
    border-color: #262422 !important;
  }
  mark {
    background-color: #231F20 !important;
    color: #F9F4DA !important;
  }
  pre {
    background-color: #231F20 !important;
    border: 1px solid #231F20 !important;
    color: #F9F4DA !important;
  }
  .bg-alt {
    background-color: #231F20 !important;
  }
  .unsubscribe-link {
    color: #504C48 !important;
  }
  .token.punctuation {
    color: #f9f4da !important;
  }
}
@media screen and (min-width: 600px) {
  .mobile-break {
    display: none;
  }
}</style>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<table class="email-wrapper" border="0" cellspacing="0" width="100%" style="background-color: #FFF; border-collapse: collapse; color: #231F20; font-family: Outfit, sans-serif; font-size: 18px; width: 100%;"><tbody><tr>
<td style="border-collapse: collapse !important; word-break: normal;"></td>
<td width="600px" style="border-collapse: collapse !important; width: 600px; word-break: normal;"><div style="max-width:600px;padding-top:80px">
<div style="text-align:center"><img width="600" style="max-width: 100%; padding-bottom: 40px;" src="https://bytes.dev/images/bytes-banner-rounded.png" alt="Bytes"></div>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><strong style="font-weight: 600;">Today’s issue:</strong> Great libraries steal, brilliant rodents build terminal emulators, and your local PBS station helps you write CSS.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">Welcome to <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/9qhzhdudr8ewo6h9/aHR0cHM6Ly9ieXRlcy5kZXYvYXJjaGl2ZXMvNDg2" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927242">#486</a>.</p>
<hr style="border: 0; border-bottom: 5px solid; border-color: #f5f5f5; margin-bottom: 100px; margin-top: 100px;">
<div style="text-align:center;margin-bottom:36px">
<img width="80" src="https://bytes.dev/images/content/eyes.png" alt="Eyeballs logo" style="max-width: 100%;"><h2 style="font-family: Paytone One, sans-serif; font-size: 28px; margin-top: 10px; text-transform: uppercase;">The Main Thing</h2>
</div>
<div class="bg-alt" style="background-color: #f5f5f5; border-radius: 16px; margin-bottom: 40px; max-width: 100%; padding: 24px; padding-bottom: 12px;">
<img src="https://bytes.dev/images/content/katya-help.jpg" alt="A woman holding a little hand that says help on it" width="600" style="border-radius: 5px; max-width: 100%;"><p style="font-family: Outfit, sans-serif; font-size: 17px; font-style: italic; line-height: 1; margin: 0; padding-bottom: 4px; padding-left: 24px; padding-right: 24px; padding-top: 10px; text-align: center;">Me after revoking my GitHub tokens without reading the postmortem first<!-- --> </p>
</div>
<h3 style="font-size: 24px; margin-bottom: 0; padding-left: 24px; padding-right: 24px;">TanStack Attack</h3>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">Yesterday, an attacker published 84 malicious versions across 42 <code style="font-size: 15px;">@tanstack/*</code> packages that were live for ~20 minutes before external researcher <code style="font-size: 15px;">ashishkurmi</code> caught it.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">The good news is that it was discovered quickly, so packages were deprecated and tarballs pulled. The bad news is that if you ran <code style="font-size: 15px;">npm install</code> yesterday, your machine may be cooked.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><strong style="font-weight: 600;">How it worked:</strong> The attack worked by chaining three vulnerabilities together. A malicious PR exploited <code style="font-size: 15px;">pull_request_target</code> in GitHub Actions to poison the shared pnpm cache with a custom payload.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">So the next time a legitimate release ran, it restored that poisoned cache, and the attacker’s code extracted an OIDC token directly from runner memory to publish to npm without ever touching a stored credential. To npm, the poisoned version looked 100% legitimate.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">And once installed, the payload got pretty nasty:</p>
<ul>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><strong style="font-weight: 600;">Credential harvesting</strong> — AWS, GCP, Kubernetes, Vault, GitHub tokens, SSH keys, <code style="font-size: 15px;">~/.npmrc</code>. Everything reachable from the install host.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><strong style="font-weight: 600;">Self-propagating worm</strong> — Queries the npm registry for other packages the victim maintains and reinfects those too.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><strong style="font-weight: 600;">Dead man’s switch</strong> — <code style="font-size: 15px;">~/.local/bin/gh-token-monitor.sh</code> installs as a systemd service (Linux) or LaunchAgent (macOS) and polls <code style="font-size: 15px;">api.github.com/user</code> with the stolen token every 60s. If the user revokes the token, it runs <code style="font-size: 15px;">rm -rf ~/</code>. Revoking is what pulls the trigger, so <strong style="font-weight: 600;">do not</strong> just go rotating credentials before you read <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/3ohphdu3g8kmerhr/aHR0cHM6Ly9naXRodWIuY29tL1RhblN0YWNrL3JvdXRlci9pc3N1ZXMvNzM4Mw==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927243">the full warning</a>.</p>
</li>
</ul>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><strong style="font-weight: 600;">What to do:</strong></p>
<ul>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Carefully rotate credentials if you installed any <code style="font-size: 15px;">@tanstack/*</code> package on May 11th</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Set a <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/n2hohquv04lqz5h6/aHR0cHM6Ly9kYW5pYWthc2guY29tL3Bvc3RzL3NpbXBsZXN0LXN1cHBseS1jaGFpbi1kZWZlbnNlLw==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927244">minimum release age</a> in your package manager. A 7-day hold would have blocked most known supply chain attacks from the past 8 years</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Upgrade to pnpm 11, which has supply chain attack mitigations baked in</p>
</li>
</ul>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><strong style="font-weight: 600;">Bottom Line:</strong> TanStack is one of the most respected and well-maintained OSS orgs we have. So if they can get hit this cleanly, maybe it’s finally time for the industry to move on from npm for good.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">We can dream.</p>
<table width="100%" cellpadding="0" cellspacing="0" border="0" style="border-collapse: collapse; margin-top: 40px; text-align: center;"><tbody><tr><td style="border-collapse: collapse !important; padding-top: 12px; word-break: normal;">
<a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/48hvh7um837l4nhx/aHR0cHM6Ly9mYWNlYm9vay5jb20vc2hhcmVyL3NoYXJlci5waHA_dT1odHRwcyUzQSUyRiUyRmJ5dGVzLmRldiUyRmFyY2hpdmVzJTJGNDg2" rel="noopener" style="color: #12b5e5; font-weight: 600; padding-left: 5px; text-decoration: none;" target="_blank" url-id="1854927245"><img alt="" style="display: inline-block; max-width: 100%; width: 32px;" width="25" src="https://bytes.dev/images/fb-share-icon.png"></a><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/reh8h9umzpodgqi2/aHR0cHM6Ly93d3cubGlua2VkaW4uY29tL3NoYXJpbmcvc2hhcmUtb2Zmc2l0ZS8_dXJsPWh0dHBzJTNBJTJGJTJGYnl0ZXMuZGV2JTJGYXJjaGl2ZXMlMkY0ODY=" rel="noopener" style="color: #12b5e5; font-weight: 600; padding-left: 5px; text-decoration: none;" target="_blank" url-id="1854927247"><img alt="" style="display: inline-block; max-width: 100%; width: 32px;" width="25" src="https://bytes.dev/images/li-share-icon.png"></a><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/08hwhgu2r4pe3dbl/aHR0cHM6Ly90d2l0dGVyLmNvbS9pbnRlbnQvdHdlZXQvP3RleHQ9SG93JTIwdGhlJTIwVGFuU3RhY2slMjBzaGFpJTIwaGFsdWQlMjBhdHRhY2slMjB3ZW50JTIwZG93biUyMGFuZCUyMHdoYXQlMjB0byUyMGRvJTIwbm93JnVybD1odHRwcyUzQSUyRiUyRmJ5dGVzLmRldiUyRmFyY2hpdmVzJTJGNDg2" rel="noopener" style="color: #12b5e5; font-weight: 600; padding-left: 5px; text-decoration: none;" target="_blank" url-id="1854927248"><img alt="" style="display: inline-block; max-width: 100%; width: 32px;" width="25" src="https://bytes.dev/images/tw-share-icon.png"></a><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/8ghqh3uon87dmofk/bWFpbHRvOj9zdWJqZWN0PVlvdSUyMGxpa2UlMjBjb3JuYnJlYWQlM0YmYm9keT1UaG91Z2h0JTIweW91JTI3ZCUyMGxvdmUlMjB0aGlzJTIwd2VlayUyN3MlMjBCeXRlcyUwQS0tLSUwQUhvdyUyMHRoZSUyMFRhblN0YWNrJTIwc2hhaSUyMGhhbHVkJTIwYXR0YWNrJTIwd2VudCUyMGRvd24lMjBhbmQlMjB3aGF0JTIwdG8lMjBkbyUyMG5vdyUwQWh0dHBzJTNBJTJGJTJGYnl0ZXMuZGV2JTJGYXJjaGl2ZXMlMkY0ODY=" rel="noopener" style="color: #12b5e5; font-weight: 600; padding-left: 5px; text-decoration: none;" target="_blank" url-id="1854927249"><img alt="" style="display: inline-block; max-width: 100%; width: 32px;" width="25" src="https://bytes.dev/images/em-share-icon.png"></a>
</td></tr></tbody></table>
<hr style="border: 0; border-bottom: 5px solid; border-color: #f5f5f5; margin-bottom: 100px; margin-top: 100px;">
<div style="text-align:center;margin-bottom:36px">
<img width="150" src="https://bytes.dev/images/content/qa-wolf-logo.png" alt="QA Wolf logo" style="max-width: 100%;"><h2 style="font-family: Paytone One, sans-serif; font-size: 28px; margin-top: 10px; text-transform: uppercase;"><span>Our Friends <br class="mobile-break">(With Benefits)</span></h2>
</div>
<div class="bg-alt" style="background-color: #f5f5f5; border-radius: 16px; margin-bottom: 40px; max-width: 100%; padding: 24px; padding-bottom: 12px;">
<img src="https://bytes.dev/images/content/monkey-computer.jpg" alt="A monkey lying in bed on a computer" width="600" style="border-radius: 5px; max-width: 100%;"><p style="font-family: Outfit, sans-serif; font-size: 17px; font-style: italic; line-height: 1; margin: 0; padding-bottom: 4px; padding-left: 24px; padding-right: 24px; padding-top: 10px; text-align: center;">When testing the code takes longer than writing the code<!-- --> </p>
</div>
<h3 style="font-size: 24px; margin-bottom: 0; padding-left: 24px; padding-right: 24px;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/vqh3hmuor6q0zetg/aHR0cHM6Ly93d3cucWF3b2xmLmNvbQ==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927250">The testing platform built for AI software development</a></h3>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">When testing can’t keep up with AI, your team’s PRs pile up, releases get stuck in QA, and you ship a lot more slop to production.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/vqh3hmuor6q0zetg/aHR0cHM6Ly93d3cucWF3b2xmLmNvbQ==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927250">QA Wolf</a> built a testing platform for agentic SDLC, so your team can ship fast and fearlessly:</p>
<ul>
<li>
<strong style="font-weight: 600;">Mapping AI</strong> autonomously maps your app’s workflows</li>
<li>
<strong style="font-weight: 600;">Automation AI</strong> generates deterministic, code-based tests for web, iOS, and Android</li>
<li>
<strong style="font-weight: 600;">100% parallel runs</strong> return results in minutes</li>
</ul>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/vqh3hmuor6q0zetg/aHR0cHM6Ly93d3cucWF3b2xmLmNvbQ==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927250">Get a personalized demo for your team</a> – and see why one Salesloft engineer said, “I’ve never seen anything like QA Wolf’s parallel run infrastructure.”</p>
<hr style="border: 0; border-bottom: 5px solid; border-color: #f5f5f5; margin-bottom: 100px; margin-top: 100px;">
<div style="text-align:center;margin-bottom:36px">
<img width="140" src="https://bytes.dev/images/content/pop-quiz.png" alt="Pop Quiz logo" style="max-width: 100%;"><h2 style="font-family: Paytone One, sans-serif; font-size: 28px; margin-top: 10px; text-transform: uppercase;">Pop Quiz</h2>
<div class="section-presenter" style="margin-bottom:50px;margin-top:15px">
<h4 style="font-size: 20px; margin-bottom: 0; padding-left: 24px; padding-right: 24px;">Sponsored by <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/m2h7h6u3zxl5dwhm/aHR0cHM6Ly9nby5jbGVyay5jb20vcmpmaGtCRg==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927252">Clerk</a>
</h4>
<p style="font-family: Outfit, sans-serif; font-size: 18px; line-height: 1.5; margin-top: 5px; padding-left: 24px; padding-right: 24px;"><em>The new <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/m2h7h6u3zxl5dwhm/aHR0cHM6Ly9nby5jbGVyay5jb20vcmpmaGtCRg==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927252">Clerk CLI</a> gives you a single command, <code style="font-size: 15px;">clerk init</code> that detects your framework, scaffolds Clerk into your project, and wires up auth end to end with middleware, providers, auth pages, and more.</em></p>
</div>
</div>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">What gets logged?</p>
<pre class="language-js" style="-moz-hyphens: none; -moz-tab-size: 2; -ms-hyphens: none; -o-tab-size: 2; -webkit-hyphens: none; background-color: #f9f9f9; border: 1px solid #f9f9f9; border-radius: 8px; color: #c0c5ce; direction: ltr; font-family: 'Fira Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 15px; hyphens: none; line-height: 1.5; overflow: auto; padding: 24px; tab-size: 2; text-align: left; white-space: pre; word-break: normal; word-spacing: normal;"><code class="language-js" style="-moz-hyphens: none; -moz-tab-size: 2; -ms-hyphens: none; -o-tab-size: 2; -webkit-hyphens: none; color: #c0c5ce; direction: ltr; font-family: 'Fira Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 15px; hyphens: none; line-height: 1.5; tab-size: 2; text-align: left; white-space: pre; word-break: normal; word-spacing: normal;"><span class="token keyword" style="color: #f38ba3; font-size: 15px;">function</span> <span class="token function" style="color: #9d7dce; font-size: 15px;">Dog</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token parameter" style="color: #f38ba3; font-size: 15px;">name</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span> <span class="token punctuation" style="color: #231F20; font-size: 15px;">{</span>
  <span class="token keyword" style="color: #f38ba3; font-size: 15px;">this</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span>name <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> name
  <span class="token keyword" style="color: #f38ba3; font-size: 15px;">this</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span><span class="token function-variable function" style="color: #9d7dce; font-size: 15px;">speak</span> <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> <span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span> <span class="token operator" style="color: #12b5e5; font-size: 15px;">=></span> <span class="token string" style="color: #f99157; font-size: 15px;">'Woof Woof'</span>
<span class="token punctuation" style="color: #231F20; font-size: 15px;">}</span>

<span class="token class-name" style="color: #12b5e5; font-size: 15px;">Dog</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span>prototype<span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span><span class="token function-variable function" style="color: #9d7dce; font-size: 15px;">speak</span> <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> <span class="token keyword" style="color: #f38ba3; font-size: 15px;">function</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span> <span class="token punctuation" style="color: #231F20; font-size: 15px;">{</span>
  <span class="token keyword" style="color: #f38ba3; font-size: 15px;">return</span> <span class="token string" style="color: #f99157; font-size: 15px;">'Ruff Ruff'</span>
<span class="token punctuation" style="color: #231F20; font-size: 15px;">}</span>

<span class="token keyword" style="color: #f38ba3; font-size: 15px;">const</span> dog <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> <span class="token keyword" style="color: #f38ba3; font-size: 15px;">new</span> <span class="token class-name" style="color: #12b5e5; font-size: 15px;">Dog</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token string" style="color: #f99157; font-size: 15px;">'Leo'</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span>
console<span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span><span class="token function" style="color: #9d7dce; font-size: 15px;">log</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span>dog<span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span><span class="token function" style="color: #9d7dce; font-size: 15px;">speak</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span>
</code></pre>
<hr style="border: 0; border-bottom: 5px solid; border-color: #f5f5f5; margin-bottom: 100px; margin-top: 100px;">
<div style="text-align:center;margin-bottom:36px">
<img width="110" src="https://bytes.dev/images/content/cool-bits.png" alt="Cool Bits logo" style="max-width: 100%;"><h2 style="font-family: Paytone One, sans-serif; font-size: 28px; margin-top: 10px; text-transform: uppercase;">Cool Bits</h2>
</div>
<ol>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/dphehmuenx26ldim/aHR0cHM6Ly90YWlsd2luZGNzcy5jb20vYmxvZy90YWlsd2luZGNzcy12NC0z" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927253">Tailwind CSS v4.3</a> comes with new scrollbar utilities, new zoom utilities and lots of other little stuff that’s only possible thanks to contributions to your local PBS station from viewers like you.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Jad Joubran wrote about <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/e0hph0u7ozdv86t8/aHR0cHM6Ly9qYWRqb3VicmFuLmlvL2Jsb2cvd2ViLXBsYXRmb3JtLWluZmx1ZW5jZWQtYnktbGlicmFyaWVz" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927254">9 times the web platform was influenced by libraries</a>. Like how my Pre-Calc final answers were influenced by my friend Jon Lee.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/7qh7h2u95exlrlsz/aHR0cHM6Ly93d3cuZ3JlcHRpbGUuY29tL2V4YW1wbGVz" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927255">Greptile in Action</a> is a fun collection of bugs that Greptile caught in some of the most popular open source repos like PyTorch, CUDA, and OpenClaw. And it links to each PR in GitHub, so you can dive deeper. [sponsored]</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/owhkhwuwde092dtv/aHR0cHM6Ly93YWt1LmdnL2Jsb2cvd2FrdS12MS1iZXRh" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927256">Waku 1.0 beta</a> comes with version skew handling, a Vite 8 upgrade with Rolldown, and new compatibility updates for the minimal RSC framework.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/z2hgh7uexzm6qvup/aHR0cHM6Ly9leHBvLmRldi9jaGFuZ2Vsb2cvc2RrLTU2LWJldGE=" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927257">Expo 56 beta</a> comes with 50% faster iOS builds, stable Expo UI, and stable iOS widgets. But by the time your App Store review gets approved, we’ll be on Expo 87.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/p8hehqu4oep6nwbq/aHR0cHM6Ly9ibGFja3NtaXRoLnNoP3V0bV9zb3VyY2U9Ynl0ZXM=" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927258">Blacksmith is a drop-in replacement for GitHub runners</a> that costs 60% less and is 2x faster because it runs on bare metal gaming CPUs. And all your actions are fully observable. [sponsored]</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Sylvie wrote up how they <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/x0hph3ue0m4255f5/aHR0cHM6Ly9zeWx2aWUuZnlpL3Bvc3RzL3JlYWN0MnNoZWxsLw==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927259">discovered and disclosed the React2Shell RCE</a> in React Server Components.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Cyrus made the case for why <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/6qhehoule43rm9bo/aHR0cDovL3VuaXguZm9vL3Bvc3RzL2xvY2FsLWFpLW5lZWRzLXRvLWJlLW5vcm0v" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927260">local AI should become the norm</a>.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/kkhmh2unvpowkoil/aHR0cHM6Ly9mYW5kZi5jby80dHRYdFB1" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927261">16 ways to make a small language model think bigger</a> breaks down fundamental strategies you can use to make smaller models better at multi-step reasoning, without increasing their size. [sponsored]</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Jeff Kaufman explained <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/58hvh8ug2w4xrwf6/aHR0cHM6Ly93d3cuamVmZnRrLmNvbS9wL2FpLWlzLWJyZWFraW5nLXR3by12dWxuZXJhYmlsaXR5LWN1bHR1cmVz" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927262">how AI is breaking two vulnerability cultures</a>.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;">Aral Roca wrote about <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/25h2h9u3wxq9k5i3/aHR0cHM6Ly9kZXYudG8vYXJhbHJvY2EvdGhlLW9uMi1idWctdGhhdC1sb29rZWQtbGlrZS1jbGVhbi1jb2RlLTM1NTY=" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927263">The O(n^2) bug that looked like clean code</a>. If I had a dollar for every time I’ve thought that.</p>
</li>
<li>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5;"><a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/g3hnhwumw209qdir/aHR0cDovL3JhdHR5LXRlcm0ub3JnLw==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927265">Ratty</a> is a terminal emulator with inline 3D graphics and a spinning rat cursor built by Orhun Parmaksız, while under the influence of the small rodent living under his hat and controlling his hands.</p>
</li>
</ol>
<hr style="border: 0; border-bottom: 5px solid; border-color: #f5f5f5; margin-bottom: 100px; margin-top: 100px;">
<div style="text-align:center;margin-bottom:36px">
<img width="140" src="https://bytes.dev/images/content/pop-quiz.png" alt="Pop Quiz logo" style="max-width: 100%;"><h2 style="font-family: Paytone One, sans-serif; font-size: 28px; margin-top: 10px; text-transform: uppercase;">Pop Quiz: Answer</h2>
<div class="section-presenter" style="margin-bottom:50px;margin-top:15px"><h4 style="font-size: 20px; margin-bottom: 0; padding-left: 24px; padding-right: 24px;">Sponsored by <a href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/m2h7h6u3zxl5dwhm/aHR0cHM6Ly9nby5jbGVyay5jb20vcmpmaGtCRg==" style="color: #12b5e5; font-weight: 600; text-decoration: underline;" url-id="1854927252">Clerk</a>
</h4></div>
</div>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">What gets logged?</p>
<pre class="language-js" style="-moz-hyphens: none; -moz-tab-size: 2; -ms-hyphens: none; -o-tab-size: 2; -webkit-hyphens: none; background-color: #f9f9f9; border: 1px solid #f9f9f9; border-radius: 8px; color: #c0c5ce; direction: ltr; font-family: 'Fira Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 15px; hyphens: none; line-height: 1.5; overflow: auto; padding: 24px; tab-size: 2; text-align: left; white-space: pre; word-break: normal; word-spacing: normal;"><code class="language-js" style="-moz-hyphens: none; -moz-tab-size: 2; -ms-hyphens: none; -o-tab-size: 2; -webkit-hyphens: none; color: #c0c5ce; direction: ltr; font-family: 'Fira Mono', 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 15px; hyphens: none; line-height: 1.5; tab-size: 2; text-align: left; white-space: pre; word-break: normal; word-spacing: normal;"><span class="token keyword" style="color: #f38ba3; font-size: 15px;">function</span> <span class="token function" style="color: #9d7dce; font-size: 15px;">Dog</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token parameter" style="color: #f38ba3; font-size: 15px;">name</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span> <span class="token punctuation" style="color: #231F20; font-size: 15px;">{</span>
  <span class="token keyword" style="color: #f38ba3; font-size: 15px;">this</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span>name <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> name
  <span class="token keyword" style="color: #f38ba3; font-size: 15px;">this</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span><span class="token function-variable function" style="color: #9d7dce; font-size: 15px;">speak</span> <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> <span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span> <span class="token operator" style="color: #12b5e5; font-size: 15px;">=></span> <span class="token string" style="color: #f99157; font-size: 15px;">'Woof Woof'</span>
<span class="token punctuation" style="color: #231F20; font-size: 15px;">}</span>

<span class="token class-name" style="color: #12b5e5; font-size: 15px;">Dog</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span>prototype<span class="token punctuation" style="color: #231F20; font-size: 15px;">.</span><span class="token function-variable function" style="color: #9d7dce; font-size: 15px;">speak</span> <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> <span class="token keyword" style="color: #f38ba3; font-size: 15px;">function</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span> <span class="token punctuation" style="color: #231F20; font-size: 15px;">{</span>
  <span class="token keyword" style="color: #f38ba3; font-size: 15px;">return</span> <span class="token string" style="color: #f99157; font-size: 15px;">'Ruff Ruff'</span>
<span class="token punctuation" style="color: #231F20; font-size: 15px;">}</span>

<span class="token keyword" style="color: #f38ba3; font-size: 15px;">const</span> dog <span class="token operator" style="color: #12b5e5; font-size: 15px;">=</span> <span class="token keyword" style="color: #f38ba3; font-size: 15px;">new</span> <span class="token class-name" style="color: #12b5e5; font-size: 15px;">Dog</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">(</span><span class="token string" style="color: #f99157; font-size: 15px;">'Leo'</span><span class="token punctuation" style="color: #231F20; font-size: 15px;">)</span>
</code></pre>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;"><code style="font-size: 15px;">Woof Woof</code> gets logged.</p>
<p style="font-family: Outfit, sans-serif; font-size: 19px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">Before JavaScript delegates the lookup of the property to the Constructor’s <code style="font-size: 15px;">prototype</code>, it first checks to see if the property exists on the object being returned from the Constructor. In this case, it does so it calls it.</p>
<div style="text-align:center;padding-bottom:80px;padding-top:80px">
<div class="bg-alt" style="background-color: #f5f5f5; border-radius: 16px; margin-bottom: 40px; padding: 24px;"><div style="margin-top:-40px">
<img src="https://bytes.dev/images/bytes-icon.png" alt="Bytes" width="55px" style="max-width: 100%; width: 55px;"><h5 style="font-size:18px;font-weight:400;margin-bottom:24px">Want us to say nice things <br> about your company?</h5>
<div style="margin-bottom:16px"><a style="background-color: #FCBA28; border: 1px solid #231F20; border-radius: 100px; color: #231F20; font-size: 14px; font-weight: 600; padding: 8px 14px; text-decoration: none;" href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/9qhzhdudr8ew56s9/aHR0cHM6Ly9ieXRlcy5kZXYvYWR2ZXJ0aXNl" url-id="1854927266">Sponsor Bytes</a></div>
<div style="margin-bottom:20px"><a style="color: #FCBA28; font-size: 14px; font-weight: 600; text-decoration: underline;" href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/3ohphdu3g8kmprsr/aHR0cHM6Ly9ieXRlcy5kZXYvc2hhcmU=" url-id="1854927267">or share it</a></div>
<p style="font-family: Outfit, sans-serif; font-size: 14px; line-height: 1.5; padding-left: 24px; padding-right: 24px;">Built with ❤️ by<!-- --> <a style="color: #ed203d; font-weight: 600; text-decoration: underline;" href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/n2hohquv04lq75s6/aHR0cHM6Ly9maXJlc2hpcC5kZXY=" url-id="1854927268">Fireship</a></p>
</div></div>
<p style="font-family: Outfit, sans-serif; font-size: 14px; line-height: 1.5; opacity: 0.5; padding-left: 24px; padding-right: 24px;">50 W Broadway Ste 333 PMB 51647 Salt Lake City, Utah 84101</p>
<div style="font-family:Papyrus, cursive"><a class="unsubscribe-link" href="https://c5e21242.click.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30/48hvh7um837lxnsx/aHR0cHM6Ly9ieXRlcy5kZXYvdW5zdWJzY3JpYmU=" style="color: #9B9890;" url-id="1854927269">Unsubscribe from Bytes</a></div>
</div>
</div></td>
<td style="border-collapse: collapse !important; word-break: normal;"></td>
</tr></tbody></table>

<span style="display: none"><a href="https://c5e21242.unsubscribe.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30">Unsubscribe</a></span>
<!-- -->
<img src="https://c5e21242.open.convertkit-mail.com/gku3k3q5wwh5hl5goxdarh8o8gxl9cmh2w30" alt="">
</body>
</html>