TanStack AI reached beta on June 9, positioning itself as the "Switzerland of AI tooling" — framework-agnostic, provider-agnostic, and fully open-source with no hosted platform required. It's built by the same team behind React Query and TanStack Router, and it brings that same philosophy of composable, type-safe primitives to AI application development.
TanStack Virtual added chat-specific primitives in Tanner Linsley's May 25 announcement. Standard virtualization is start-anchored; chat UIs need end-anchored, prepend-safe, stream-aware scroll management. These primitives move that bookkeeping from hand-rolled state into a tested library.
npm v12 (estimated July 2026) flips three security defaults that have been the most exploited code-execution paths in supply chain attacks. Install scripts, Git dependencies, and remote URL dependencies will all be blocked unless explicitly allowed. These aren't new features — they've been available as opt-in since npm 11.10.0+ — but v12 makes the secure path the default.
If you're running npm 11.16.0+, you're already seeing warnings for these. In v12, warnings become hard blocks. Now is the time to prepare.
TanStack packages — @tanstack/query, @tanstack/router, @tanstack/table — collectively pull tens of millions of weekly downloads. They sit deep in dependency trees across a huge number of production apps. In early 2026, an attacker obtained an npm publish token from TanStack's CI pipeline and used it to push malicious versions of several packages. Obfuscated postinstall hooks phoned home to attacker infrastructure. The window was short — hours — but hours is a lot of npm install runs.
This isn't a new pattern. The same playbook worked against lottie-player in 2025 and ua-parser-js in 2021. What changes each time is the name on the package and the number of people scrambling. This post walks through what happened, why the pattern keeps repeating, and what you can do about it today.
In January 2020, esbuild 0.1 dropped and gave the JavaScript ecosystem its first taste of what esbuild's own FAQ described as 10–100× faster tooling. The shock was real, but the lasting shift wasn't actually Go. By 2021 the new tools coming out — SWC, Turbopack, Rspack, Biome, oxc, Rolldown, Lightning CSS, plus runtimes like Deno and desktop shells like Tauri — were almost uniformly Rust. Six years later, on a modern frontend project, a non-trivial fraction of what lands in node_modules after npm install is a Rust binary in a thin JavaScript wrapper. This post is a curiosity tour of that landscape: who built what, in what order, and how the Rust pieces actually get into the install. It is not a recommendation post; there is no switch-to-X conclusion at the end.
Google just released Gemma 4, the latest generation of their open model family — and two things make this one genuinely different. First, it's now Apache 2.0 licensed, removing the custom-license friction that held back adoption. Second, the lineup spans from a 2B-parameter edge model that fits on a Raspberry Pi to a 31B powerhouse that ranks in the top 3 open-source LLMs on the Arena AI leaderboard. If you're a web developer, this one's worth a closer look 🧠.
Here's what caught our eye this week across JavaScript Weekly, React Status, and Node Weekly — and what it means for the Aliz stack. This is our first newsletter roundup post: a new recurring format where we distill the highlights so the team doesn't have to read three inboxes.