Friday Issue No. 155
This issue is a great snapshot of JavaScript and the wider tooling stack in early 2026. There is a comprehensive “what to know” guide to the language, frameworks and runtimes, a sharp look at the three pillars of JavaScript bloat, and TypeScript 6.0 stepping in as the bridge release towards a Go based future compiler. React gets a thoughtful examination of some of its least loved but unavoidable design choices, while npm supply chain defences show up in the form of minimum release age settings and a detailed breakdown of the Axios social engineering attack.
HTML and CSS bring plenty of visual and practical delights, from email obfuscation and real-world video lazy loading to the new corner-shape property, Subgrid and some very tactile UI experiments like folded corners and paper notes. Rounding things off, Cloudflare’s EmDash makes a bold pitch as a spiritual successor to WordPress, someone renders Doom in 3D using only CSS, and the latest WebAIM Million report reminds us that accessibility still needs active work even in an AI assisted world. Have fun exploring these links!
JavaScript News
All the news you need about JavaScript and around it
For this section, I almost don't need to do anything myself because Chris has already done the heavy lifting. A really solid overview of the main JavaScript language features, runtimes, tooling and frameworks to pay attention to in 2026, all in one place.
https://frontendmasters.com/blog/what-to-know-in-javascript-2026-edition/
Thoughtful post on JavaScript Bloat
This post brought back that old joke: What is the heaviest object in the universe? node_modules. It looks at three structural reasons our dependency trees keep getting bigger (legacy compatibility, “safety” wrappers and tiny one-liner packages) and what we can actually do to slim things down. Really worth the read if your bundles feel uncomfortably large.
https://43081j.com/2026/03/three-pillars-of-javascript-bloat
TypeScript 6.0
We saw an early preview of this a few weeks ago, but if you missed it, TypeScript 6.0 is a bridge release between 5.9 and the future Go based compiler that will arrive in TypeScript 7. It is still implemented in TypeScript/JavaScript, not Go itself, but it changes defaults, drops old output targets and prepares the ecosystem for the upcoming Go rewrite. The announcement post is a chunky one with lots of detail on new strictness, config changes and migration guidance.
https://devblogs.microsoft.com/typescript/announcing-typescript-6-0/
Unavoidable state design choices in React
A thoughtful post on React state management and why some APIs feel awkward yet are very hard to avoid. It digs into things like React’s choice to embrace “snapshot in time” rendering and the way hooks and transitions work, explaining the trade offs behind these decisions rather than just complaining about them.
https://dev.to/playfulprogramming/two-react-design-choices-developers-dont-like-but-cant-avoid-d6g
Minimum release age is an underrated supply chain defence
A simple but surprisingly powerful suggestion: do not install any npm package version that was published less than seven days ago. The author walks through several real incidents and shows how a minimum release age would have completely blocked many short lived attacks with almost no impact on normal development.
https://daniakash.com/posts/simplest-supply-chain-defense/
The Axios supply chain attack used individually targeted social engineering
Simon Willison breaks down the recent Axios incident, in which attackers used highly targeted social engineering rather than simply publishing a malicious package and hoping for the best. It is a sobering look at what “supply chain” means in practice and why safeguards like minimum release age and stronger maintainer workflows matter.
https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
HTML & CSS News
Email obfuscation
A nice reminder that old and fairly simple email obfuscation techniques still work quite well, and that there are plenty of patterns that look clever but are easy for bots to defeat. The article collects a range of approaches with concrete examples of what to do and what to avoid.
https://spencermortensen.com/articles/email-obfuscation/
How to use standard HTML video & audio Lazy-Loading on the Web today
Somehow, it feels like lazy loading for video and audio has “always” been here, but this post explains what is actually available today and how to use it correctly. There are some gotchas around browser support, interaction with preload and analytics, and the article shows both good patterns and cases where you probably should not reach for lazy loading.
Border-radius
We now have much more than just rounded corners: the new CSS corner-shape property lets you create squircles, bevels, scoops, notches and classic square corners. This piece has great practical UI examples for when a different corner shape communicates hierarchy or feels more tactile than a simple radius.
https://www.smashingmagazine.com/2026/03/beyond-border-radius-css-corner-shape-property-ui/
Peeling off the sticker
A neat little CSS trick that creates a folded corner or “peeling sticker” effect for those special spots where you want something to feel slightly more physical. It is pure CSS, surprisingly simple once you see it and easy to adapt to your own components.
https://kittygiraudel.com/2026/03/05/folded-corner-with-css/
Paper Notes
Delightfully realistic and fluid sticky note UI built with CSS. I also accidentally started reading the imaginary quotes on the notes and had a good laugh, which is always a bonus.
https://codepen.io/TheMOZZARELLA/pen/wBzjVYE
Quick intro to CSS Subgrid and where to use it
Short and very practical introduction to CSS Subgrid, showing how it lets children line up with an outer grid without repeating all the definitions. There are concrete layout examples that make it clear where Subgrid shines and when a regular grid is still enough.
https://dbushell.com/2026/04/02/css-subgrid-is-super-good/
Mixed News
EmDash to replace WordPress
The title is a bit loud, but the idea is interesting. EmDash is pitched as a spiritual successor to WordPress rather than a drop-in replacement, built on Astro, designed to be AI native and running sandboxed plugins on Cloudflare’s platform. Whether it becomes “the” successor is an open question, but the post is a good read if you are curious about modern takes on the classic CMS model.
https://blog.cloudflare.com/emdash-wordpress/
Matt Mullenweg (WordPress co-founder) also responded in a follow-up post, which is worth reading both for context and for some slightly amused pushback
https://ma.tt/2026/04/emdash-feedback/
Story behind DOOMed CSS
An amazing project and write-up about rendering Doom in 3D using just CSS. The article covers how it works under the hood and is the kind of over the top experiment that still manages to teach you a few layout and transform tricks along the way.
https://nielsleenheer.com/articles/2026/css-is-doomed-rendering-doom-in-3d-with-css/
Web Report on Accessibility
You might expect that with all the AI help in our tools, the web would quickly become much more accessible, but the latest WebAIM Million report suggests otherwise. CMSes and frameworks do improve things thanks to built-in patterns, with Astro leading this year’s framework list, followed by Next.js and React, but the long tail of issues remains. I am still not entirely sure why Firebase appears in the JavaScript framework list, and the “JavaScript Libraries” chart reads a bit like a WordPress theme bundle of familiar names, such as Lightbox.
https://webaim.org/projects/million/
Comment on BlueSky and Mastodon