Dev weekly digest: Copilot grounded, npm under siege, and the toolchain keeps getting faster

GitHub froze Copilot signups, a supply chain attack hit one of npm's most-downloaded packages, and the rest of the ecosystem shipped speed. Here's what matters from the past seven days.

1. GitHub pauses Copilot signups as agentic AI breaks flat-rate economics

GitHub paused new signups for Copilot Student, Pro, and Pro+ plans on April 20, citing unsustainable compute costs driven by agentic coding workflows. Long-running, parallelized agent sessions now routinely exceed what individual subscribers pay per month. Opus models were also pulled from the Pro tier; Copilot Free remains open, and existing users can still upgrade between plans.

Source: Changes to GitHub Copilot Individual plans — GitHub Blog

2. Axios compromised on npm — malicious versions target developer secrets

On March 30, two rogue versions of the axios HTTP client (1.14.1 and 0.30.4) were published to npm. The package pulls ~100 million downloads per week. A preinstall hook silently bootstrapped Bun, then launched a 9.7 MB obfuscated credential stealer targeting GitHub Actions environments, SSH keys, and AI coding tool configs including ~/.claude.json and MCP server settings. If you haven't audited your lockfile yet, do it now.

Source: Axios Compromised on npm — StepSecurity

3. Self-propagating npm worm hits agentic AI packages

On April 22, Socket and StepSecurity disclosed a CanisterWorm-style malware strain in packages tied to Namastex Labs, an agentic AI startup. The worm extracts npm tokens from a developer's machine, identifies packages the victim can publish, injects a payload, and republishes them — spreading autonomously. Another reason to enable npm 2FA and audit publish permissions on every package you own.

Source: Another npm supply chain worm hits dev environments — The Register

4. Jetpack Compose 1.11 ships with Grid API, new testing defaults, and Android Studio Panda 4

Google released the April '26 Compose update with a stable Grid layout API for two-dimensional screen-level architecture, v2 testing APIs as the new default (v1 deprecated), host-level services that remove compose-ui dependencies for multiplatform libraries, and custom preview wrappers via @PreviewWrapper. Android Studio Panda 4 launched alongside it with a new "Planning Mode" for agentic development.

Source: What's new in the Jetpack Compose April '26 release — Android Developers Blog

5. Firefox 150 lands with split view, PDF page editing, and local network access controls

Firefox 150 shipped on April 21 with split-view browsing (right-click any link to open it alongside your current tab), a PDF viewer that lets you move, copy, and delete pages, real-time in-address-bar translation, and a notable privacy addition: websites must now request explicit permission before connecting to devices on your local network. Mozilla also patched 41 security vulnerabilities in this release.

Source: Firefox 150 release notes — Mozilla

6. TypeScript 6.0 ships as the final JavaScript-based compiler release

TypeScript 6.0 landed on March 23 — the last major version before the Go-native TypeScript 7.0 port. Defaults flip: strict: true, module: esnext, and target: ES2025 are now on by default. The es5 target is deprecated. New additions include built-in Temporal API types, decorator metadata for runtime type access, and #/ subpath imports under nodenext resolution. Migration guides are available; deprecated options will error in 7.0.

Source: Announcing TypeScript 6.0 — Microsoft DevBlogs

7. Vite 8 ships with Rolldown as its unified Rust bundler — 10-30x faster builds

Vite 8.0.0 (released March 12) replaced both Rollup and esbuild with Rolldown, a single Rust-based bundler from the VoidZero team. Build times are 10-30x faster while maintaining full Rollup plugin compatibility. The team also launched registry.vite.dev, a searchable directory of plugins for the Vite, Rolldown, and Rollup ecosystem. Vite now sees 65 million weekly npm downloads.

Source: Vite team boasts 10-30x faster builds with Rust-powered Rolldown — DevClass

8. Expo SDK 55 drops Legacy Architecture, ships Hermes v1

Expo SDK 55 is now stable with React Native 0.83 and React 19.2. The headline: Legacy Architecture support is removed entirely — if you haven't migrated to the New Architecture, this is your deadline. Hermes v1 ships with meaningful performance gains and better modern JS support. Expo Go for iOS SDK 55 entered App Store review on April 17, and GitHub login was added to the Expo platform on April 23. SDK 56 (with React Native 0.85) is expected in May or June.

Source: Expo SDK 55 — Expo Changelog

9. Next.js 16.2 delivers 400% faster dev startup and Server Fast Refresh

Next.js 16.2.2 (patched April 1) brings a 400% improvement in dev startup time and ~50% faster rendering, driven by deep Turbopack integration. Server Fast Refresh — previously limited to client components — now works for server components too. Security patches include CVE-2026-27979 (maxPostponedStateSize enforcement) and CVE-2026-29057 (http-proxy fix). Over 200 bug fixes shipped in this release cycle.

Source: Next.js releases — GitHub

10. CSS native mixins and anchor positioning enter browser implementations

The W3C published the CSS Snapshot 2026, and browsers are actively shipping features that eliminate common JavaScript dependencies. Native CSS mixins (@mixin / @apply with parameters) are arriving, anchor positioning lets you tether elements with pure CSS, sibling-index() and sibling-count() give elements structural awareness without JS, and cross-document view transitions now work for multi-page apps. The @scope rule is also reaching broader support as an alternative to BEM and CSS Modules.

Source: CSS Snapshot 2026 — W3C