Dev weekly digest: Axios supply chain attack, Next.js Adapters, and Pretext goes viral

This week's biggest story was a security wake-up call for the entire JavaScript ecosystem, but there was also plenty to be excited about — from a new text layout paradigm to React's compiler getting a Rust rewrite. Here's what mattered March 28 – April 3, 2026.

1. Axios npm package compromised in North Korea-linked supply chain attack

On March 30, attackers compromised the npm account of an Axios maintainer and published two backdoored versions — axios@1.14.1 and axios@0.30.4 — within a 39-minute window. The malicious releases introduced a dependency called plain-crypto-js whose postinstall hook silently downloaded platform-specific remote access trojans. Google and Microsoft attributed the attack to North Korean threat actors. With Axios pulling over 100 million weekly downloads, even projects that don't use it directly likely have it as a transitive dependency. Downgrade to 1.14.0 or 0.30.3 immediately, and consider adding min-release-age=7d to your .npmrc.

Source: StepSecurity

2. Next.js 16.2 ships stable Adapter API for platform-agnostic deployments

Next.js 16.2 introduces a stable, typed, versioned Adapter API built in collaboration with OpenNext, Netlify, Cloudflare, AWS Amplify, and Google Cloud. The API creates a first-class contract between the framework and hosting providers, complete with a shared correctness test suite that Vercel itself relies on. A new Ecosystem Working Group gives partners early access to changes and direct support for adapter breakage, though they won't participate in Next.js roadmap decisions.

Source: Next.js Blog

3. Pretext: the 15KB library that measures text without the DOM

Cheng Lou, formerly of the React core team and now at Midjourney, released Pretext — a zero-dependency TypeScript library that performs multiline text measurement and layout entirely in userland using Canvas font metrics. The result is 300–600x faster layout calculations than traditional DOM reads, processing 500 different texts in roughly 0.09ms. The library racked up over 25,000 GitHub stars in 48 hours and sparked serious discussion about whether userland layout engines could complement or replace parts of CSS for dynamic layouts.

Source: GitHub

4. React Compiler Rust port lands as a WIP PR

Joseph Savona opened a work-in-progress PR porting the React Compiler to Rust. The architecture was human-designed but majority AI-coded, operating on a Rust-based Babel AST and already passing 100% of Babel integration fixture tests. Early benchmarks show the Rust version running 3x faster as a Babel plugin, with the raw transformation logic clocking ~10x gains. The goal is clean integration with Babel, SWC, and OXC. No prebuilt binaries yet, but the direction is clear: React's build tooling is going native.

Source: GitHub PR #36173

5. TanStack Start previews its take on React Server Components

Tanner Linsley unveiled TanStack Start's RSC implementation at React Paris, and it's deliberately different from Next.js. RSC flight payloads are exposed as plain text streams you can cache, persist, or manipulate. A new "Composite Components" concept replaces 'use client' directives with explicit server/client boundaries, potentially allowing co-location in one file. Server Actions are intentionally omitted for security reasons — you use validated server functions instead. The framework-as-library philosophy gives more flexibility at the cost of more glue code.

Source: React Paris talk

6. Transformers.js v4 brings WebGPU-powered AI to the browser

Hugging Face released Transformers.js v4, switching to a completely rewritten C++ WebGPU runtime that works across browsers, Node.js, and desktop apps. The release adds support for ~200 model architectures including state-space models (Mamba), Mixture of Experts, and Multi-head Latent Attention. Live demos show real-time speech transcription, Qwen 3.5 chat, and video captioning — all running client-side. Install it with npm and bring LLM inference to your frontend without a server round-trip.

Source: GitHub Release

7. RedwoodSDK 1.0: server-first React on Cloudflare

After six years of building in public — and a philosophical pivot from the original RedwoodJS — RedwoodSDK 1.0 has shipped. It's a minimal Vite plugin that unlocks SSR, RSC, and server functions with deep Cloudflare integration: Workers, D1, R2, Queues, and AI are all first-class. The standout feature is useSyncedState, a drop-in useState replacement that syncs state across connected clients via Durable Objects with zero WebSocket boilerplate. The tradeoff is explicit Cloudflare lock-in, which the team argues is worth the infrastructure simplicity.

Source: RedwoodSDK Blog

8. Node.js 25.9 adds --max-heap-size and iterable streams

The latest Node.js Current release introduces --max-heap-size for fine-grained heap control, lands James Snell's experimental stream/iter API (a cleaner iterable streams interface), and improves the built-in test runner's module mocking. Separately, March 24 security releases patched all active LTS lines (v20, v22, v24) — make sure you're updated.

Source: Node.js Blog

9. Claude Code source code leaked via npm sourcemap

Anthropic accidentally shipped a 59.8MB source map file in version 2.1.88 of the @anthropic-ai/claude-code npm package, exposing the full ~512,000-line TypeScript codebase. The leak revealed internal codenames (Capybara for Claude 4.6, Fennec for Opus 4.6), an unreleased persistent background agent mode called KAIROS, and a "dream" mode for continuous background reasoning. Anthropic confirmed no customer data was exposed and attributed the incident to a packaging error. For developers, it's a reminder that source maps in npm packages can expose everything.

Source: Alex Kim's analysis

10. GitHub Copilot will train on Free/Pro user data starting April 24

GitHub announced that starting April 24, interaction data from Copilot Free, Pro, and Pro+ users — including code snippets, surrounding context, file names, repository structure, and feedback signals — will be used to train future AI models by default. Users must manually opt out at /settings/copilot/features. Enterprise and Education users are excluded. If you previously opted out of data collection for product improvements, your preference is preserved.

Source: GitHub Blog