HomeWeeklyFriendsAboutMusic

FE Bits Vol.27 | Oxfmt Beta Released, Chromium 'CSS Exploit' Was Actually a UAF

发表于 2026-03-01 23:21 更新于 2026-03-01 23:52 1623 字 9 min read

cos avatar

cos

FE / ACG / 手工 / 深色模式强迫症 / INFP / 兴趣广泛养两只猫的老宅女 / remote

202 Articles

21 Categories

136 Tags
Home Weekly
Categories Tags Archives
Friends About Music
FE Bits Vol.27 | Oxfmt Beta Released, Chromium 'CSS Exploit' Was Actually a UAFFE Bits Vol.26 | Gatsby Supports React 19, Rspress 2.0 ReleasedFE Bits Vol.25 | Yarn 6 to Be Rewritten in Rust, CSS Grid Lanes ProgressFE Bits Vol.24 | Rolldown 1.0 RC, Anime.js v4.3 Auto Layout, and Chrome 145 100vw Scrollbar AwarenessFE Bits Vol.23 | jQuery 4 Released, Chrome Adds Vertical Tabs, Astro Acquired by CloudflareFE Bits Vol.22 | CSS @scope Now Widely Available, ViteLand December RecapFE Bits Vol.21 | Blog Christmas Effects and Moe Copy Update, AntV Launches InfographicFE Bits Vol.20 | Blog Updates and FEDAY Highlights, Shadcn Create ReleasedFE Bits Vol.19|New Site Features and React Discloses Two New RSC VulnerabilitiesFE Bits Vol.17|WebGPU Now Supported by All Major Browsers, Ant Design 6 Officially ReleasedFE Bits Vol.16|Cloudflare Incident Report Released, CSSWG Confirms Masonry Layout Syntax grid-lanesFE Bits Vol.15|Chrome Width/Height Animation Reflow Optimization, Node Type Stripping Goes StableFE Bits Vol.14|Chrome Supports Split Views, npm Enforces 2FA, Rspack 1.6FE Bits Vol.13|TypeScript Becomes GitHub's Most-Used Language for the First Time, VoidZero Raises $12.5M Series AFE Bits Vol.12|Next.js 16 Released, Docusaurus 3.9 AI Search, ChatGPT Atlas LaunchedFE Bits Vol.11|React Native 0.82 New Architecture Lands, Bun 1.3 Full-Stack RuntimeFE Bits Vol.10|React Compiler v1.0 Released, React Foundation Established, Vite Documentary and Vite+ LaunchFE Bits Vol.9|Chrome DevTools Launches MCP, Nuxt UI Pro Goes Open Source and FreeFE Bits Vol.8|PyCon Trip, Cloudflare's Big Bug, and NPM Sandworm AlertFE Bits Vol.7|Security Alerts for chalk, debug and Other npm Packages; Remotion Sponsors MediabunnyFE Bits Vol.6|What Changes and What Stays, Chrome's 17th Anniversary and CSS Mixins DraftFE Bits Vol.5|Nx Package Compromised, ESLint Multi-threaded Linting, and Firefox Experimental PWAFE Bits Vol.4|Next 15.5, RN 0.81, and Some Handy ToolsFE Bits Vol.3|CSS attr() Typed Evolution, PostCSS Retrospective After 12 YearsFE Bits Vol.2|V8 Speeds Up JSON.stringify 2x, Vite Weekly Downloads Surpass Webpack for the First TimeFE Bits Vol.1|Hello World, TanStack DB First Beta Release
This issue marks the newsletter's return after the Chinese New Year break, along with the open-source release of MoePeek, a lightweight macOS text-selection translator (Swift 6, ~5MB/50MB). Community highlights: React Foundation moves under the Linux Foundation, TanStack launches Hotkeys, Oxfmt enters Beta (100% Prettier rule compatibility, multi-format support & Tailwind class sorting), and Claude Code introduces Remote Control. The so-called 'CSS exploit' turns out to be a Chromium UAF. Featured articles cover safer Error.isError, explicit resource management with using/[Symbol.dispose], bulletproof React components, virtual scrolling for billions of rows, and practical CSS techniques for lists/zoom/sprites. CSS new features spotlight border-shape. Tools & toys include Modern CSS Snippets, CanWeUse aggregator, broz screenshot browser, SVG Studio, plus curated CodePens and fun sites.

This article has been machine-translated from Chinese. The translation may contain inaccuracies or awkward phrasing. If in doubt, please refer to the original Chinese version.

About this newsletter

This issue's URL: https://blog.cosine.ren/post/weekly-27

This newsletter aims to update every Sunday.

Subscribe to the RSS feed.

WeChat Official Account: FE Bits (前端周周谈 FE Bits). Click the original link to view the full article.

QQ discussion group 598022684 / Discord server

The newsletter content is also open-sourced at fe-bits-weekly. Follow for updates.

Today is March 1, 2026, Sunday.

Personal Updates

The Chinese New Year holiday really recharged me. During the hiatus I went on a coding spree, grinding away on projects. Now the newsletter is back!

I want to say something, but I'm not sure what to say. Just wait for my year-end review post (yes, someone is really writing their year-end review in March)(oh wait that person is me)

After the holiday, I also switched jobs. After working at the new company for a while, I'm increasingly convinced I made the right choice. A lot has happened lately~

If you follow my frontend channel, you probably already know what I've been up to, so let me also formally share our company's job openings here. We're hiring lots of frontend developers — experience with image editors is a plus! All positions are listed in the JD. The higher your anime/otaku level, the better (lol). Feel free to reach out. Remote work, no experience requirements, internships and part-time also welcome — it mainly depends on fit. If interested, send your resume directly to ball@mewtant.io! Just note that you're referred by cos. Also welcome to DM me to learn more~

My experience working here has been absolutely amazing! It's so anime-culture-friendly, totally my vibe!

Our Product: We're a startup focused on anime-style generative AI. Our text-to-image AI generation and consumption platform has become a leading product overseas, with rapidly growing user base and market share.
Our Funding: We've received multiple rounds of investment from top-tier firms including Makers Fund, with a current valuation of over $100 million.
Our Team: Headquartered in Singapore, team members from all over the world enjoy remote work. The team has diverse backgrounds and solid technical skills — no annoying unspoken rules. Both interns and seniors can thrive and learn.
What You'll Get: Cutting-edge technology and product insights in our field, the experience of working on a product together, turning imagination into reality, and meaningful work where you can realize your value.

JD: job.mewtant.io
Company PR: Backed by Sequoia, valued at over $100 million — an anime company mining gold overseas with AI-generated art

Company culture Be Like (directly swiped from saka's post)

MoePeek

Easydict used to leak memory all the time — after running for a while it would become incredibly sluggish. My text-selection translation needs are actually quite minimal, and since I'd learned some Swift before, I just vibed my way through building one over the holiday.

Mainly for my own use. Built with pure Swift 6, installation size ~5MB, background memory usage ~50MB — I feel comfortable leaving it running. If you enable OCR screenshots, runtime memory goes up to around 100MB.

Open-sourced it — feel free to file Issues~ But I might not add new features, just fix bugs.

  • This project has PopClip integration, available in the Release. See the README for FAQ.
  • For more mature alternatives, consider Bob or ClickNow — these commercial products are quite polished.

PS: I really like Easydict, but tracking down and fixing their memory leak issues is quite difficult at this point. So I just vibed a tool with only the features I need.

A lightweight macOS text-selection translation tool, built with pure Swift 6, installation size only 5MB, background memory usage stable at ~50MB.

GitHub: https://github.com/cosZone/MoePeek

MoePeek-promo.webp

Community Updates

  • The React Foundation: React's New Home Hosted by the Linux Foundation: React officially announced the establishment of the React Foundation under the Linux Foundation, marking React's formal transition from Meta to an independent open-source project.

  • TanStack team releases new library TanStack Hotkeys, solving common pitfalls in keyboard shortcut development such as cross-platform compatibility, scope conflicts, and input focus handling. It provides type safety, key sequence recognition, state tracking, and framework adapters for React, along with integrated Devtools plugins for better developer experience.

  • Oxfmt Beta: Oxfmt announced its Beta stage. Since the Alpha release, Oxfmt has significantly expanded its capabilities, including 100% compatibility with Prettier's JavaScript and TypeScript formatting rules, support for multiple file formats (JSON, YAML, HTML, CSS, etc.), built-in Tailwind CSS class sorting and configurable import sorting, plus a Node.js API and extensive editor support. (I've been using it for a while now — it's great.)

  • Claude Code releases Remote Control feature: Claude Code released a new feature called "Remote Control," allowing Max and Pro users to start tasks in the terminal and then continue controlling the Claude Code session from their phone or web browser, enabling seamless cross-device workflows. Currently available to Max users, with Pro user access coming soon. Get started by running claude rc.

  • An Exploit ... in CSS?!: An interesting article about a zero-day exploit CVE-2026-2441 in the Chromium browser that was reported as a "CSS exploit." The article clarifies the technical details, pointing out that the vulnerability isn't in CSS itself, but rather a Use After Free (UAF) memory management flaw in Chromium's rendering engine.

Articles

  • From instanceof to Error.isError: Safer Error Checking in JavaScript: This article introduces the advantages of using Error.isError() over instanceof Error for error checking in JavaScript, especially regarding safety and reliability when handling cross-realm errors.

  • Build Bulletproof React Components: A senior Vercel engineer shares how to build robust React components that handle real-world complex scenarios, covering Server Rendering, Hydration, multiple instances, Concurrent Rendering, Composition, Portal, View Transition, Activity, data leak prevention, and future compatibility — key challenges in modern React applications.

  • The Logo Soup Problem (and Its Solution): The Sanity team developed a React component <LogoSoup /> to solve the visual chaos of "Logo Soup" — the messy arrangement of multiple brand logos on web pages caused by inconsistent sizes, proportions, and visual weight.

  • It's About to Get a Lot Easier for Your JavaScript to Clean Up After Itself: JavaScript is about to get using and [Symbol.dispose] through the Explicit Resource Management proposal, making resource cleanup more unified, reliable, and automatic.

  • An In-Depth Guide to Customising Lists with CSS: This article provides a comprehensive deep dive into customizing HTML list styles with CSS from basic to advanced techniques, while considering both typographic aesthetics and accessibility.

  • Creating Query Abstractions: In React development, developers commonly wrap custom Hooks to reuse useQuery logic. However, the author points out that when combined with TypeScript, this practice not only breaks type inference but also easily leads to complex "generics hell."

  • Zoom!: Analyzes the practical utility of the CSS zoom property in actual layouts and its differences from transform: scale.

  • Remember Sprites: In 2026, revisiting CSS Sprites technique — combining object-fit, object-position, and the step() animation function to create fun frame-by-frame animations.

  • Virtual Scrolling for Billions of Rows — Techniques from HighTable: This article introduces how the <HighTable> React component achieves virtual scrolling for billions of rows through five core techniques, delivering high performance and accessibility.

CSS New Features

Fun Sites

Site URL: Matthew Pothier — Cinematographer

  • Express yourself with Unicode: Kaomoji Cool Club collects a large collection of fun kaomoji (text emoticons) that let you express yourself with Unicode characters.

Tools

  • Modern CSS Code Snippets: modern-css.com is a reference site comparing old CSS hacks with modern native solutions, helping developers move away from outdated methods and leverage the latest CSS features for cleaner, more efficient web design. Very practical, and it has RSS too.
  • Can We Use: canwe.dev is a site aggregating various practical web development tools, helping developers quickly look up Can I Use / Can I Stop, email client support, accessibility information, web platform feature progress, and browser development roadmaps — a one-stop information hub for frontend developers.
  • broz: By antfu — a clean, borderless screenshot browser. Just run npx broz antfu.me to use it.
  • SVG Studio: Yet another browser-based SVG processing tool, integrating optimization, debugging, and rendering issue fixes. Very handy.

Codepen

Flood Above the Floor

See the Pen Eayqjwr by wakana-k (@wakana-k) on CodePen.

Step into this Three.js scene by Wakana Y.K. and find yourself in an elegant room with ankle-deep flooding. Look around to explore, or contemplate the serious water damage to the beautiful interior décor.

Sliding border glow on hover for beveled cards

See the Pen EayVXKj by thebabydino (@thebabydino) on CodePen.

Ana Tudor demonstrates masterful use of modern CSS through corner-shape and background-clip, answering a Reddit question while providing fallbacks for browsers that don't yet support these features. Check out Ana's extensively commented code for implementation details.

Text Effects

https://codepen.io/collection/Poergz
codepen.io

Pedro Ondiviela shares a collection of eye-catching SVG filter and CSS text effects. Each effect is editable, so you can try them with your own text.

Aerodynamic Typography

See the Pen EayBZwy by mike-at-redspace (@mike-at-redspace) on CodePen.

Use the mouse wheel to control the fan and watch letters fly and bounce off walls in this fun Matter.js Pen by mike-at-redspace.

Refs

If you enjoyed this, leave a comment~

© 2020 - 2026 cos @cosine
Powered by theme astro-koharu · Inspired by Shoka