💨 September 2025

Supply-chain security, platform APIs, evil package managers

In light of the recent supply-chain attacks in the NPM and Node world (this one and that one), we’re starting with some food for thought about protecting ourselves from malicious dependencies. Obsidian’s philosophy of Less is safer is the best collection of measures to mitigate the risk of successful supply-chain attacks I’ve seen so far. In short:

Avoid dependencies if possible
Re-implement or vendor small to medium dependencies (if licensing allows)
Update large dependencies only periodically after careful manual review
Block postinstall scripts
Pin dependencies to patch versions
Install strictly what’s in the lockfile (npm ci)
Delay updates, as malicious packages are usually detected within hours.

This sounds reasonable to me. Yet it’s also quite different from our current practice of mostly immediate, mostly automated updates. Interested in hearing your thoughts 🧠

It can also be tricky to avoid dependencies. In Norms, for example, we have very few client-side dependencies. But our toolchain for linting, formatting, and testing is pretty complex. I don’t see how we can reduce that by much without compromising code quality and consistency. This is one of the reasons I’m excited about Vite+, the Vite team’s attempt at replacing the zoo of linters, formatters, test runners, etc. with a unified toolchain. We’ll learn more at this year’s ViteConf!

Are package managers evil? An interesting argument against automating dependency management in the first place. I tend to agree. In fact I have started vendoring stuff manually for small, personal projects. But as mentioned above, I don’t have good ideas for making this practical for bigger projects that involve many people.
A good way of reducing dependencies is using features that the platform already offers. Did you know the browser has an internationalization API? Among other things, you can use it for formatting dates, relative time, and numbers. Similarly, the Temporal API already works in Firefox and can be polyfilled in other browsers, removing the need to use dayjs or similar libraries. The browser also has APIs for client-side form validation that can get you pretty far for many basic use cases.
In my recent post about Tailwind I argued that CSS is much more dynamic than it used to be. If you had no idea what I was talking about, here are some good examples: subgrid & container queries change how we can create layouts, and a new approach to container and wrapper classes.
What if AI doesn’t get much better than this?
The Progressive Complexity Manifesto lays out a useful mental model for thinking about server-side rendering and client-side interactivity beyond the static vs. single-page app binary.
tldr is a project to make man pages more approachable by giving you the most important ways of running commands in an easy to read format. You can use their client to run it in your terminal or try it on the web.
The new Apple OSes have been released and with them the (controversial) liquid glass design. Be that as it may, people have attempted to recreate it on the web. Always love to see that type of experimentation! Wouldn’t be required though if we had access to Apple’s private CSS property that enables the effect.
New Apple OSes also come with a new major version of Safari. Recently they’ve been packed with features, and this year is no different. Among others, anchor positioning, scroll-driven animations, and SVG favicons are now supported in Safari, which should get them closer to Baseline availability.
Java 25 has been released with some nice quality of life features such as more flexible constructors, top-level main methods, and a new way to import things.