Dev weekly digest: The week npm caught fire

Security dominated the past seven days as a new strain of the Shai-Hulud worm tore through TanStack's npm packages and Vercel shipped a coordinated Next.js release patching 13 CVEs. Underneath the crisis, the tooling layer kept moving: Rolldown 1.0 went stable, Node.js 26.1 added experimental FFI, Bun shipped image processing, and Expo SDK 56 landed in beta.

1. TanStack npm supply-chain attack hits 42 packages

On May 11, an attacker chained pull_request_target abuse, GitHub Actions cache poisoning, and OIDC token theft to publish 84 malicious versions across 42 @tanstack/* packages within a 26-minute window. The Shai-Hulud worm payload exfiltrates credentials via Session messenger and spreads to other maintainers — it ultimately compromised ~170 other npm and PyPI packages including ones from Mistral AI, OpenSearch, and UiPath. Anyone who installed an affected @tanstack/router-family version that day should treat their install host as compromised and rotate every reachable credential. Mitigations: set min-release-age (npm) or minimumReleaseAge (pnpm), audit workflows with zizmor, and stop using pull_request_target.

Source: TanStack postmortem

2. Next.js patches 13 CVEs in coordinated May release

Vercel shipped Next.js 15.5.18 and 16.2.6 fixing 13 vulnerabilities spanning middleware/proxy bypass, SSRF, cache poisoning, denial of service, and XSS. There are no backports for 13.x or 14.x — those branches must upgrade directly. react-server-dom-* packages need a separate bump to React 19.2.6 to fix a related Server Functions DoS. Vercel specifically notes that WAF rules will not cover these issues, so patching is the only fix.

Source: Next.js May 2026 security release

3. Rolldown 1.0 ships stable

The Rust-based bundler that backs Vite 8 hit a stable v1.0 with semver guarantees and Rollup plugin-API compatibility. Early adopters report 10–30x faster builds than Rollup, and the team is now targeting bundling-in-dev to close the last performance gap caused by serving individual ESM files. If you're on Vite, the upgrade path is largely transparent.

Source: Announcing Rolldown 1.0

4. Node.js 26.1 lands experimental FFI

Node 26.1 introduces the experimental node:ffi module, a Foreign Function Interface for loading dynamic libraries and calling into native code without writing a C++ addon. Combined with last week's 26.0 release that brought the Temporal API, v26 is shaping up to be the most consequential LTS line in years — it goes LTS this October. Node 22.22.3 (current LTS) shipped the same week with V8 backports and npm v10.9.8.

Source: Node.js 26.1 release notes

5. Bun 1.3.14 adds image processing, plus a Rust port reveal

Bun 1.3.14 ships Bun.Image, a built-in image processing API that can replace sharp for many use cases, alongside experimental HTTP/3-over-QUIC in Bun.serve and HTTP/2 + HTTP/3 support in fetch. The package manager also picked up a global virtual store similar to pnpm's. Separately, Jarred Sumner confirmed Bun's experimental Rust port (previously framed as a side experiment) is now passing 99.8% of the test suite at ~960k LOC and is on track to replace the Zig codebase.

Source: Bun v1.3.14 release

6. Expo SDK 56 Beta with stable SwiftUI and Jetpack Compose APIs

Expo SDK 56 beta lands on React Native 0.85 and promotes the SwiftUI and Jetpack Compose interop APIs in expo-ui to stable, along with faster builds and improved Android startup. SDK 56 also includes a Metro overhaul with react-native-swc-style transformers reaching production readiness elsewhere in the ecosystem (react-native-swc reports ~8x faster transforms and ~3x faster real-world bundling versus Babel). RN Screens 4.25 drops the legacy architecture entirely.

Source: Expo SDK 56 Beta changelog

7. Flutter switches default iOS dependency manager to Swift Package Manager

Flutter 3.44 will make Swift Package Manager the default dependency manager for iOS and macOS, replacing CocoaPods as it moves to read-only status by the end of 2026. Plugin authors should publish Swift Package versions of their plugins now; apps that depend on CocoaPods-only plugins will need updates before the cutover. This is the most disruptive iOS-side change Flutter has shipped in years.

Source: Flutter SwiftPM migration notes

8. Tailwind CSS 4.3 ships scrollbar utilities and @container-size

Tailwind 4.3 adds first-class scrollbar utilities (scrollbar-* width and color), a @container-size utility for sizing against container queries, new zoom-* utilities, and an expanded color palette. It's a drop-in upgrade for v4 users and the most useful 4.x point release so far for design-system work.

Source: Tailwind CSS v4.3 release notes

9. Safari 26.5 adds :open, anchor positioning fixes, and Origin API

Safari 26.5 ships with the :open pseudo-class (matches open <details>, popovers, and dialogs), improvements to the CSS random() function, anchor positioning fixes, color-interpolation for SVG gradients, and Origin API support. Combined with Chrome's experimental <install> HTML element for installable web apps now behind a flag in Edge and Chrome, the install/dialog primitives are finally converging across engines.

Source: WebKit features for Safari 26.5

10. Vercel ships Flue and zero-native: TypeScript agent harnesses and Zig-powered desktop apps

Two notable Vercel Labs releases. Flue is a runtime-agnostic agent harness framework that lets you build TypeScript agents deployable to Linux, Node, or Cloudflare Workers, with a built-in sandbox usable from GitHub Actions and skill-centric design via AGENTS.md. Zero-native is a desktop app framework built on a Zig core that lets you pick between system WebView or Chromium for the renderer — examples ship for vanilla, React, Svelte, and Vue. Both target the same hole: writing custom agents and cross-platform apps without inheriting Electron's footprint.

Source: Flue framework · zero-native