I don't get why they (npm) don't make 2FA validation a thing even for trusted publishing. They already have 2FA it should not be that hard to add it to this flow too. Sad that the official recommended pattern by GitHub/npm is full of flows 😔

The UI is confusing to me 😞 I always thought that I toggled on both trusted publish and 2FA...

What's the hell. I have 2FA enforced to publish @fast-check.dev but I was able to publish without it. Is "Trusted Publisher" by-passing the 2FA thing?

Chasing performance drifts | Pigment's Tech Blog You've probably been there. You switched from one tool to another because things got slow. Remember: Webpack, then RsPack or Vite? Jest, then Vitest? Bun? tsgo? Speed is why most of them exist. But pe...

A few weeks ago I had the chance to speak at React Paris by @bejs.bsky.social 🗼

Just turned the talk into a blog post: how we chase performance drifts at Pigment before users feel them ⚡

engineering.pigment.com/2026/04/16/c...

I hate AI when it's like this:

Notion used to have a one-click way to turn text into a quote. They removed this and now I have... AI

So instead of sub-500ms, it now takes 10+ seconds to turn selected text into a quote (type out the prompt, then wait ~4 seconds)

So backwards...

Bailey Pumfleet @pumfleet (1h ago) post in X: Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase.

So we're back to security through obscurity? Sorry, but this is wrong. Our OSS apps and libs will be more secure thanks to the new models, not less. They are being released to researchers responsibly. Let's help maintainers avoid burnout. Let's fund them. Let's welcome more eyes checking our code.

In the meantime I read and heard of people that supposedly are able to run hundreds of autonomous agents that do everything by themselves.

While I want to trust it. My usage makes me sceptical 😁

😵‍💫 The more I'm playing with AI, the more I lose the whaouuu effect.

Lately I asked Claude to fix a build step that was failing on one of its PRs, it supposedly fixed it... But actually nothing works. My main problem is that it's not an isolated attempt I have many such cases...

FYI if you use pnpm and upgraded from Vite 7 -> 8, you might still have esbuild installed but unused. You can purge it out by:

1. Set `autoInstallPeers: false` in `pnpm-workspace.yaml`
2. `pnpm i`
3. Undo no1
4. `pnpm i`

Very cool reading. I was recently looking for such a story explaining how to leverage AI on massive rewrites like this one.

I'm still unclear about the review side. How much did you review the produce code? Is it needed given tests are ok? (Honest questions without preferred answer, really curious)

Introducing the Oxc Angular Compiler ✨

◆ 6.4x faster than Angular CLI
◆ 20.7x faster than Webpack
◆ First-class @vite.dev plugin with full HMR
◆ Built with Oxc
◆ Not another slop fork

While this is experiment, the @angular.dev team is looking into an Oxc integration.

voidzero.dev/posts/oxc-an...

🗼 #ReactParis 2026 #Aftermovie is here! 🎬

400+ #devs, 23 top-notch #speakers, 11 #sponsors, a world-class venue, a global #community support ... but ONE unforgettable VIBE🤗. Our 3rd edition was our biggest and best yet. 🚀

Huge 🩵🤍❤️ to everyone for making #Paris shine!

#React C'est Magique!

🗼 React Paris was an awesome conference by @bejs.bsky.social. It has been an honor to speak there and to meet so many awesome people during the two days of the conference.

🎥 My talk "chasing performance drifts" is accessible at: m.youtube.com/watch?v=7BbA...

fast-check official documentation | fast-check fast-check is a Property-based Testing framework for JavaScript and TypeScript. It works with Jest, Mocha, Vitest, and others. Let's fuzz!

@fast-check.dev: Bring property based testing into JavaScript. It's a fully open source project that has been around for years and has its documentation available at fast-check.dev

Docusaurus 3.10 | Docusaurus We are happy to announce Docusaurus 3.10.

💥 Docusaurus 3.10 is out!

Milestone release - Prepare for Docusaurus 4

🔐 Security: Trusted Publishing, CI scanner, recommendations
⚡ Docusaurus Faster - Stable, soon the new default
💪 Strict MDX - No proprietary syntax
💾 Storage API - Stable
🌳 VCS API - Experimental

docusaurus.io/blog/release...

@npmx.dev also has a builtin diff viewer that even includes a dependency change summary:

npmx.dev/diff/axios/v...

Claude Code A shared Claude Code session on claude.ai/code

Yesterday I had a "watch CI status" on my claude.ai/code. It was able to automatically take into account what was going on GitHub: CI but also comments.

Did @anthropic.com dropped the feature? It was so cool to have something able to track GitHub automatically. Looking forward to have it back.

Supply Chain Attack on Axios Pulls Malicious Dependency from... A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHu...

🚨 Active supply chain attack on axios@1.14.1. The latest version pulls in plain-crypto-js@4.2.1 -- a brand-new package that didn't exist before today.

We're still investigating. If you use axios, pin your version and audit your lockfile. socket.dev/blog/axios-n...

It was an awesome talk. Highly appreciated it, thanks 🙏

The slides from my talk are accessible at github.com/dubzzz/talks.... I may turn them into an article pretty soon

Fuzz-driven slow path detection | Pigment's Tech Blog Fuzz testing consists into executing a given piece of code against randomized inputs. It is a known tool when you want to detect bugs in your algorithms, but we rarely talk of it for performance relat...

🏎️ Following up on my @bejs.bsky.social React Paris talk with a closely related trick we used at #Pigment 👇

While the talk focused on detecting issues globally, this one helped us manually uncover what triggers slow code paths in our pivoting algorithm.

engineering.pigment.com/2024/06/27/f...

@tkdodo.eu telling us more about knip.dev from @webpro.nl at React Paris (@bejs.bsky.social)

I postponed this support for quite some time, but someone proposed a PR and once opened we iterated on it and finally it landed in 0.3.0 🚀

Same support planned for Jest. But integration is way more hacky. Or I should say: not too hacky in Vitest and totally hacky for Jest. Still polishing the PR 😈

Such a pleasure to discuss with you yesterday 😊

This connection thing is clearly a big plus of confs 💕

Feeling _extremely_ grateful for the many, _many_ wonderful people I've gotten to know through the web ecosystem and conferences.

Any time I go to a conf, I come home feeling so uplifted and connected. You all are truly "my people", and I'm so blessed to know so many of you!

@beaussan.io on stage 🤩

What an awesome conference 👏 Amazed by the quality of the first few talks 💕

GitHub needs to give maintainers the tools to counter the frictionless AI flows they (and others) have created. A "fix with AI" flow that doesn't require a thorough review is worse than valueless. It's noise. It's pure churn. GitHub has the tools to detect this and educate users about OSS etiquette.

🚂 On my way to React Paris by @bejs.bsky.social

Hope to see many folks there 👥

Keytrace - You be you, everywhere. Link your GitHub, domain, and other accounts to your internet handle. Cryptographically signed, user-owned, and portable.

I'm linking my keytrace.dev: did:plc:mg4vaxoqxb67gwiah7edjypk