3 posts tagged with "ecosystem"

TanStack packages — @tanstack/query, @tanstack/router, @tanstack/table — collectively pull tens of millions of weekly downloads. They sit deep in dependency trees across a huge number of production apps. In early 2026, an attacker obtained an npm publish token from TanStack's CI pipeline and used it to push malicious versions of several packages. Obfuscated postinstall hooks phoned home to attacker infrastructure. The window was short — hours — but hours is a lot of npm install runs.

This isn't a new pattern. The same playbook worked against lottie-player in 2025 and ua-parser-js in 2021. What changes each time is the name on the package and the number of people scrambling. This post walks through what happened, why the pattern keeps repeating, and what you can do about it today.

In January 2020, esbuild 0.1 dropped and gave the JavaScript ecosystem its first taste of what esbuild's own FAQ described as 10–100× faster tooling. The shock was real, but the lasting shift wasn't actually Go. By 2021 the new tools coming out — SWC, Turbopack, Rspack, Biome, oxc, Rolldown, Lightning CSS, plus runtimes like Deno and desktop shells like Tauri — were almost uniformly Rust. Six years later, on a modern frontend project, a non-trivial fraction of what lands in node_modules after npm install is a Rust binary in a thin JavaScript wrapper. This post is a curiosity tour of that landscape: who built what, in what order, and how the Rust pieces actually get into the install. It is not a recommendation post; there is no switch-to-X conclusion at the end.

Here's what caught our eye this week across JavaScript Weekly, React Status, and Node Weekly — and what it means for the Aliz stack. This is our first newsletter roundup post: a new recurring format where we distill the highlights so the team doesn't have to read three inboxes.