4 posts tagged with "tooling"

npm v12 (estimated July 2026) flips three security defaults that have been the most exploited code-execution paths in supply chain attacks. Install scripts, Git dependencies, and remote URL dependencies will all be blocked unless explicitly allowed. These aren't new features — they've been available as opt-in since npm 11.10.0+ — but v12 makes the secure path the default.

If you're running npm 11.16.0+, you're already seeing warnings for these. In v12, warnings become hard blocks. Now is the time to prepare.

npm CLI 11, released in February 2026, ships a new config option called min-release-age. It refuses to resolve any package version published less than a configured number of days ago. The idea is simple: give the community time to detect compromised releases before they land in your node_modules. Previously this was only available via pnpm's minimumReleaseAge — now npm has it natively.

In January 2020, esbuild 0.1 dropped and gave the JavaScript ecosystem its first taste of what esbuild's own FAQ described as 10–100× faster tooling. The shock was real, but the lasting shift wasn't actually Go. By 2021 the new tools coming out — SWC, Turbopack, Rspack, Biome, oxc, Rolldown, Lightning CSS, plus runtimes like Deno and desktop shells like Tauri — were almost uniformly Rust. Six years later, on a modern frontend project, a non-trivial fraction of what lands in node_modules after npm install is a Rust binary in a thin JavaScript wrapper. This post is a curiosity tour of that landscape: who built what, in what order, and how the Rust pieces actually get into the install. It is not a recommendation post; there is no switch-to-X conclusion at the end.

Remember when we said this was an experiment? Well, the experiment grew up. We just shipped a curated, 13-tool Recommended Tech Stack for Aliz frontend projects — a single reference for what we reach for when starting something new.