HomeWeeklyFriendsAboutMusicBangumi

FE Bits Vol.34 | @antv npm Supply Chain Attack, Tailwind v4.3 Released

Published 2026-05-19 20:23 Updated 2026-05-19 20:23 1020 words 6 min read ... Page views

cos avatar

cos

FE / ACG / 手工 / 深色模式强迫症 / INFP / 兴趣广泛养两只猫的老宅女 / remote

212 Articles

21 Categories

137 Tags
Home Weekly
Categories Tags Archives
Friends About Music Bangumi
FE Bits Vol.35 | Deno 2.8 Released, A Roundup of CSS Features for 2026FE Bits Vol.34 | @antv npm Supply Chain Attack, Tailwind v4.3 ReleasedFE Bits Vol.33 | Vercel April Security Incident, sizes="auto" Ends Responsive Image PainFE Bits Vol.32 | MUI v9 Released, A New Take on TanStack RSC, Google Cracks Down on Back Button HijackingFE Bits Vol.31 | axios Supply Chain Attack, JetStream 3.0 Released & View Transitions ToolkitFE Bits Vol.30 | TypeScript 6.0 & Next.js 16.2 Released, Safari 26.4 New FeaturesFE Bits Vol.29 | Native JSON Modules Land, CSS light-dark() Now Supports ImagesFE Bits Vol.28 | The Birth of Ai-chan, Vite 8.0 Released, Astro 6.0 LaunchedFE Bits Vol.27 | Oxfmt Beta Released, Chromium 'CSS Exploit' Was Actually a UAFFE Bits Vol.26 | Gatsby Supports React 19, Rspress 2.0 ReleasedFE Bits Vol.25 | Yarn 6 to Be Rewritten in Rust, CSS Grid Lanes ProgressFE Bits Vol.24 | Rolldown 1.0 RC, Anime.js v4.3 Auto Layout, and Chrome 145 100vw Scrollbar AwarenessFE Bits Vol.23 | jQuery 4 Released, Chrome Adds Vertical Tabs, Astro Acquired by CloudflareFE Bits Vol.22 | CSS @scope Now Widely Available, ViteLand December RecapFE Bits Vol.21 | Blog Christmas Effects and Moe Copy Update, AntV Launches InfographicFE Bits Vol.20 | Blog Updates and FEDAY Highlights, Shadcn Create ReleasedFE Bits Vol.19|New Site Features and React Discloses Two New RSC VulnerabilitiesFE Bits Vol.17|WebGPU Now Supported by All Major Browsers, Ant Design 6 Officially ReleasedFE Bits Vol.16|Cloudflare Incident Report Released, CSSWG Confirms Masonry Layout Syntax grid-lanesFE Bits Vol.15|Chrome Width/Height Animation Reflow Optimization, Node Type Stripping Goes StableFE Bits Vol.14|Chrome Supports Split Views, npm Enforces 2FA, Rspack 1.6FE Bits Vol.13|TypeScript Becomes GitHub's Most-Used Language for the First Time, VoidZero Raises $12.5M Series AFE Bits Vol.12|Next.js 16 Released, Docusaurus 3.9 AI Search, ChatGPT Atlas LaunchedFE Bits Vol.11|React Native 0.82 New Architecture Lands, Bun 1.3 Full-Stack RuntimeFE Bits Vol.10|React Compiler v1.0 Released, React Foundation Established, Vite Documentary and Vite+ LaunchFE Bits Vol.9|Chrome DevTools Launches MCP, Nuxt UI Pro Goes Open Source and FreeFE Bits Vol.8|PyCon Trip, Cloudflare's Big Bug, and NPM Sandworm AlertFE Bits Vol.7|Security Alerts for chalk, debug and Other npm Packages; Remotion Sponsors MediabunnyFE Bits Vol.6|What Changes and What Stays, Chrome's 17th Anniversary and CSS Mixins DraftFE Bits Vol.5|Nx Package Compromised, ESLint Multi-threaded Linting, and Firefox Experimental PWAFE Bits Vol.4|Next 15.5, RN 0.81, and Some Handy ToolsFE Bits Vol.3|CSS attr() Typed Evolution, PostCSS Retrospective After 12 YearsFE Bits Vol.2|V8 Speeds Up JSON.stringify 2x, Vite Weekly Downloads Surpass Webpack for the First TimeFE Bits Vol.1|Hello World, TanStack DB First Beta Release
This issue shares personal musings on leaving a job and the future of AI. Community highlights cover the critical Next.js WebSocket SSRF vulnerability (CVE-2026-44578), the TanStack OIDC token leak that poisoned 84 packages, the AntV npm supply chain attack, plus the official Tailwind CSS v4.3 release (new color palette, webpack plugin, and more) and Bun merging .claude-related PRs. Curated articles include clever tricks for controlling infinite CSS animations, a deep dive into local-first web architecture, an overview of Node.js 26's new features, and a guide to avoiding pitfalls in cross-document view transitions. CSS news focuses on Chrome 149's native support for Gap Decorations and Safari 26.5's new :open pseudo-class. The tool spotlight goes to Find Font, a font browsing tool with AI pairing, while the fun-site pick is Dave Holloway's highly idiosyncratic WebGL portfolio.

This article has been machine-translated from Chinese. The translation may contain inaccuracies or awkward phrasing. If in doubt, please refer to the original Chinese version.

About This Newsletter

This issue's URL: https://blog.cosine.ren/post/weekly-34
This newsletter aims to be updated every Sunday.
Subscribe via RSS.
WeChat public account: FE Bits (前端周周谈 FE Bits). Click "read original" to view the source article.
QQ discussion group 598022684 / Discord server

This newsletter's content is also open-sourced at fe-bits-weekly. Feel free to follow along.

Today is May 19, 2026, Tuesday.

Personal Updates

May Day holiday was an absolute blast! Even got to meet up with Kankan and Zhizi in person. Took a huge pile of photos during the Japan trip — I won't dump them all here; I'll post a separate blog when I'm in the mood. This issue stays short.

  1. Spotted a "beer trading station" while wandering Zhengjia Plaza :I've seen plenty of the world :Wait, this one's actually new to me — a beer trading station with price ups and downs, lol
  2. Met up with bug-jie in person over the weekend! Super happy! The crystal bug-jie gave me is gorgeous ww
    Crystal
    Crystal
  3. A few reflections Heard my former company laid off the entire product/R&D/design teams with n+1 — feels bittersweet, a bit of regret in there too.

The bittersweet part: I left at the end of February, didn't stick around a few more months for the year-end bonus, because I wanted to do more interesting work. Walked away decisively and joined the new company without a gap.

But I genuinely never imagined the team would just get dissolved. I was sincerely sad for a while when I left because my coworkers were great.

In other words, my job switch cost me both the year-end bonus and the n+1 severance — might be a first-in-a-lifetime experience. What happens next? I don't know. Maybe people are taking a break with the severance and then job hunting.

Back when I switched, I also felt the previous work had stopped being interesting — you could just feel it. The current job is genuinely fun and fulfilling; I'm happy across the board.

Life really is unpredictable. Sometimes I wonder if there are many "what-if" timelines.

Saw a comment I really resonated with: "Maybe if you'd stayed, you'd have missed something more important than the bonus and n+1."

At minimum, I'm in a good place at my current company and I'm content.

A few stray thoughts

Projects

Been a bit listless lately, but the vacation was great. Taking a chill approach to both new and existing projects.

Ecosystem & Community Updates

Next.js (CVE-2026-32485/6) shipped a May 2026 security release patching 13 advisories: middleware/proxy bypass (5), denial of service (3, including the upstream React component vulnerability CVE-2026-23870), server-side request forgery (SSRF, 1), cache poisoning (2), and cross-site scripting (XSS, 2). All users on affected versions (Next.js 13.x/14.x/15.x/16.x and the corresponding react-server-dom-*) should upgrade immediately to the fixed releases (Next.js 15.5.18 or 16.2.6, with matching React versions). Only patching fully fixes the issues — WAFs cannot reliably block them.\

TanStack (2026-05-11): An OIDC token leak led to 84 packages being poisoned, all restored within an hour. The attack targeted AWS/SSH and other sensitive secrets. Only the Router/Start codebase was affected, covering 42 monorepo packages with two versions each. All packages were deprecated within an hour and subsequently removed by npm.

Articles

CSS Features

Tools

Fun Sites

If you enjoyed this, leave a comment~

... Page views
© 2020 - 2026 cos @cosine
Powered by theme astro-koharu · Inspired by Shoka