npm CLI 11, released in February 2026, ships a new config option called min-release-age. It refuses to resolve any package version published less than a configured number of days ago. The idea is simple: give the community time to detect compromised releases before they land in your node_modules. Previously this was only available via pnpm's minimumReleaseAge — now npm has it natively.

TanStack packages — @tanstack/query, @tanstack/router, @tanstack/table — collectively pull tens of millions of weekly downloads. They sit deep in dependency trees across a huge number of production apps. In early 2026, an attacker obtained an npm publish token from TanStack's CI pipeline and used it to push malicious versions of several packages. Obfuscated postinstall hooks phoned home to attacker infrastructure. The window was short — hours — but hours is a lot of npm install runs.

This isn't a new pattern. The same playbook worked against lottie-player in 2025 and ua-parser-js in 2021. What changes each time is the name on the package and the number of people scrambling. This post walks through what happened, why the pattern keeps repeating, and what you can do about it today.

Gergely's post on the LLM Wiki pattern hit close to home. I've been doing something adjacent for a while — personal knowledge management with Obsidian and local LLMs — and I immediately wanted to try the pattern on my own vault. Here's what I ran into, what worked, and what didn't.

In January 2020, esbuild 0.1 dropped and gave the JavaScript ecosystem its first taste of what esbuild's own FAQ described as 10–100× faster tooling. The shock was real, but the lasting shift wasn't actually Go. By 2021 the new tools coming out — SWC, Turbopack, Rspack, Biome, oxc, Rolldown, Lightning CSS, plus runtimes like Deno and desktop shells like Tauri — were almost uniformly Rust. Six years later, on a modern frontend project, a non-trivial fraction of what lands in node_modules after npm install is a Rust binary in a thin JavaScript wrapper. This post is a curiosity tour of that landscape: who built what, in what order, and how the Rust pieces actually get into the install. It is not a recommendation post; there is no switch-to-X conclusion at the end.

VS Code 1.118 shipped an experimental feature called Chronicle on April 29, 2026, and it solves a problem most of us have been working around for months: your Copilot Chat history is now a queryable artifact, not a scroll-to-find afterthought. If you've ever prepped for a standup by scrolling through yesterday's agent sessions, or tried to remember what you did across three branches last Thursday, Chronicle targets exactly that pain. The full details are in the VS Code 1.118 release notes — this post is commentary on why it matters, not a restatement of the feature spec.

If you've set up GitHub Copilot, written a .github/copilot-instructions.md, maybe defined a custom agent or two — and then wondered "what now?" — the answer is awesome-copilot. It's the single most useful community resource for anyone pushing Copilot beyond defaults. Maintained under the github org, it has built a large community of users and contributors. It covers agents, instructions, skills, plugins, hooks, and agentic workflows — basically every customization surface Copilot exposes. If your setup ends at a .github/copilot-instructions.md, this repo is where you go next.

When your product is an AI assistant, using AI to build it feels natural — but doing it well is harder than it sounds. The AI-Assisted Development section describes these patterns in the abstract. This post is what they look like after a year in production on a real Aliz frontend: a React + TypeScript chat-based AI assistant with theming, 18-language internationalization, MCP integrations, and multi-environment deploys. The codebase is large enough that no single prompt can reason about it coherently, which is the whole reason the team stopped reaching for a tool and started building a system — the same shape described in Multi-Agent Orchestration. Three layers of AI setup, a team of specialist agents, and a workflow called QRSPI hold it together.

GitHub has announced changes to its Copilot Individual plans — Free, Pro, and Pro+ — taking effect in April 2026. The details are in the company news post and the changelog entry. Our reaction: unsurprising — and overdue. For historic context (see the Copilot plans page and GitHub's 2025 Pro+ announcement): Copilot Pro has been $10/month since launch, back when frontier models were cheaper and agent mode didn't exist, and Pro+ arrived in April 2025 at $39/month. The economics of that original entry-level tier were never going to survive a world of agentic coding on frontier models. This post is commentary, not a restatement of GitHub's announcement — read the source for the actual numbers.

In a recent blog post we explored Karpathy's LLM Wiki pattern — the idea that an LLM should build a persistent, interlinked wiki instead of re-deriving knowledge from scratch on every query. A few days later, it clicked: Aliz Web Hub — a Docusaurus site where AI agents contribute documentation via GitHub PRs — is essentially the same pattern with different tooling. The project predates Karpathy's gist. The parallel was noticed after, not before. The pieces map surprisingly cleanly.

Anthropic has released Claude Opus 4.7. Opus 4.6 has been central to our workflow — it powers Claude Code, our ⭐ recommended agent for complex tasks — so any new Opus release is worth paying attention to. That said, our first impression is that this isn't the across-the-board leap some might expect. Here's what we know and what we think.