npm CLI 11, released in February 2026, ships a new config option called min-release-age. It refuses to resolve any package version published less than a configured number of days ago. The idea is simple: give the community time to detect compromised releases before they land in your node_modules. Previously this was only available via pnpm's minimumReleaseAge โ now npm has it natively.
In January 2020, esbuild 0.1 dropped and gave the JavaScript ecosystem its first taste of what esbuild's own FAQ described as 10โ100ร faster tooling. The shock was real, but the lasting shift wasn't actually Go. By 2021 the new tools coming out โ SWC, Turbopack, Rspack, Biome, oxc, Rolldown, Lightning CSS, plus runtimes like Deno and desktop shells like Tauri โ were almost uniformly Rust. Six years later, on a modern frontend project, a non-trivial fraction of what lands in node_modules after npm install is a Rust binary in a thin JavaScript wrapper. This post is a curiosity tour of that landscape: who built what, in what order, and how the Rust pieces actually get into the install. It is not a recommendation post; there is no switch-to-X conclusion at the end.
Remember when we said this was an experiment? Well, the experiment grew up. We just shipped a curated, 13-tool Recommended Tech Stack for Aliz frontend projects โ a single reference for what we reach for when starting something new.