FE Bits Vol.7｜Security Alerts for chalk, debug and Other npm Packages; Remotion Sponsors Mediabunny

This article has been machine-translated from Chinese. The translation may contain inaccuracies or awkward phrasing. If in doubt, please refer to the original Chinese version.

This newsletter aims to be updated every Sunday. The website is still under construction…
Currently, we recommend subscribing to this newsletter’s Quaily RSS via Folo.
WeChat Official Account: 前端周周谈 FE Bits. Click the “read original” link to view the source.
QQ discussion group 598022684 for casual frontend tech & life chats. You can also submit your own articles in the group. Feel free to join — it’s more of a fan community.
This newsletter is also open-sourced at fe-bits-weekly. Feel free to follow along.

Today is September 14, 2025, Sunday.

I’ve been feeling quite down these past few days, sad for no particular reason. But I still need to keep my spirits up! Emotional cycles are just unreasonable like that, but listening to music helps a lot. Here’s a song recommendation: 「雪路」- 诗岸/wukino

Ecosystem & Community Updates

• Sponsoring Mediabunny | Remotion: Remotion announced it will stop developing its own web multimedia library and instead sponsor and collaborate on Mediabunny, dedicated to building an open-source multimedia toolchain for the web.

• npm author Qix compromised via email phishing, npm account hijacked, publishing malicious versions of popular packages like chalk, debug, color and more. Here are the affected package versions:

ansi-styles@6.2.2
debug@4.4.2
chalk@5.6.1
supports-color@10.2.1
strip-ansi@7.1.1
ansi-regex@6.2.1
wrap-ansi@9.0.1
color-convert@3.1.1
color-name@2.0.1
is-arrayish@0.3.3
slice-ansi@7.1.1
color@5.0.1
color-string@2.1.1
simple-swizzle@0.2.3
supports-hyperlinks@4.1.1
has-ansi@6.0.1
chalk-template@1.1.1
backslash@0.2.1

Meanwhile, the DuckDB-related npm account duckdb_admin was also compromised, and multiple malicious versions were published. The injected code uses the same wallet-draining malware as the Qix attack.

duckdb@1.3.3 – ~149k weekly downloads. (Published 2025-09-09 01:13:07 UTC)
@duckdb/duckdb-wasm@1.29.2 – ~65k weekly downloads. (Published 2025-09-09 01:11:47 UTC)
@duckdb/node-api@1.3.3 – ~83k weekly downloads. (Published 2025-09-09 01:12:15 UTC)
@duckdb/node-bindings@1.3.3 – ~72k weekly downloads. (Published 2025-09-09 01:11:13 UTC)

Articles & Videos

• Get the Maximum Out of Your Font: An excellent article about fonts, introducing little-known but extremely useful features in modern fonts (especially OpenType and Variable Fonts), and how to use these capabilities in CSS. The article also recommends a website for experimenting with variable fonts: v-fonts.com

• Migrating to React Native’s New Architecture (2025): Shopify shares its experience and strategies for migrating two core applications to React Native’s New Architecture.

• Safe Array Methods in JavaScript: Introduces ES2023’s new non-mutating array methods toSorted(), toReversed(), and toSpliced(). These new methods behave similarly to their mutable counterparts but return a new array instead of modifying the original.

• Andromeda is a new JavaScript & TypeScript runtime built with Rust, powered by the Nova engine, featuring memory safety, zero configuration, GPU hardware acceleration, and rich Web API support.

• Liquid Glass in the Browser: Refraction with CSS and SVG. An absolutely fantastic interactive tutorial with comprehensive technical analysis and tons of demos — they really nailed Web Liquid Glass. Highly recommended.

This article progressively builds Apple Liquid Glass-like refraction and highlight effects using physical refraction principles (Snell’s law), geometric surface functions, vector field calculations, and SVG displacement maps. The author implemented interactive demos in Chrome and demonstrated how to combine refraction and highlights to generate UI components.

Note that this approach is still experimental — only Chromium supports calling SVG filter via backdrop-filter, and performance is concerning. It can be used as an experimental effect in environments like Electron; not production-ready.

• Color Shifting in CSS: This article reveals CSS limitations when implementing dynamic color changes through a particle effect case study, such as gray transitions caused by RGB interpolation, and proposes using CSS filter’s hue-rotate() as a better solution.

• You Don’t Need Animations: Discusses when animations help user experience in UI design, and when they actually backfire.

• How To Set Up Express 5 For Production In 2025: A step-by-step guide on building a production-ready Express 5 application with TypeScript in 2025, covering project initialization, code style linting, test-driven development, routing design, authentication, and database integration.

• Too many tools: How to manage frontend tool overload: Explores the problem of excessive tooling in frontend development and advises developers on managing “tool overload” to improve developer experience. I think this article makes great points — learning “new trends” does not equal “immediately adopting” them. Decisions should be based on experimentation and needs, not marketing hype.

CSS New Features

Relearn CSS with Nine New Modules: Web.dev has updated its Learn CSS course with 9 new modules covering the last four years of CSS innovations.

• CSS Nesting
• Container Queries
• Custom Properties
• Counters
• Cursors and Pointers
• Anchor Positioning
• Popover and Dialog
• View Transitions for SPAs
• Paths, Shapes, Clipping and Masking

The updated modules closely follow recent CSS standards development and browser support. All teaching features have reached or are about to enter Baseline status, including new features from Interop 2025 such as anchor positioning and view transitions. Each module includes clear browser support information, ensuring what you learn is immediately usable.

• What Can We Actually Do With corner-shape?: A deep exploration of the potential and practical applications of corner-shape in CSS.

Fun Projects & Tools

• Yqnn/svg-path-editor: Online editor to create and manipulate SVG paths: An open-source online SVG Path editor where developers can create and modify paths directly in the browser, supporting command palette, keyboard shortcuts, path transformations, coordinate switching, and ViewBox adjustments. GitHub

• Splidejs/splide: Splide is a lightweight, flexible, and accessible slider & carousel library that combines high performance with accessibility.

• harlan-zw/mdream: mdream converts any website into clean markdown and llms.txt. Improve your website’s AI discoverability or generate LLM context for your projects.

• Cosmic UI — a sci-fi themed component library?! Though it feels like the component count is a bit low — it’s a very new library.

• ForgeUI｜Website

ForgeUI is an experimental React-based component library focused on “animation-first” design principles, offering animated forms, dynamic cards, shimmering text, and other modern UI components designed to help developers quickly build rich interactive interfaces. Its tech stack includes Next.js, TypeScript, Tailwind CSS, shadcn/ui, and Framer Motion. The project is positioned more as the author’s “personal lab” for developers to reference and use, rather than a formal community-driven open-source product.

• Andromeda is the latest JavaScript runtime powered by the Nova engine. Built with Rust, it features direct GPU-accelerated graphics support, single-file compilation, and memory safety.

• BlazeDiff: A high-performance, pixel-accurate JavaScript image comparison library that is approximately 1.5x faster than pixelmatch while maintaining the same accuracy and output quality.

• Beautiful! The website of poet David Whyte, featuring WebGL-rendered watercolor-like interactive textures that create a unique artistic experience.

  • Introduction article: https://webgl.souhonzan.org/entry/?v=3004
  • Website: https://davidwhyte.com/experience/

    

Library Updates

• Deno 2.5: Permissions in the config file: Deno 2.5 brings a series of updates including configuration file permission sets, improved testing API, dependency management optimizations, and performance improvements.

Refs

• Node Weekly Issue 592: September 9, 2025: This issue covers the latest developments in the Node.js ecosystem, including LavaMoat tools, Node.js new releases, performance best practices, and a wealth of library/framework updates.
• React Status Issue 443: September 10, 2025: Weekly React picks covering TanStack DB, WorkOS RBAC, Storybook 10, React Norway 2026, numerous tool updates, and JavaScript ecosystem news.
• Frontend Focus Issue 708: September 11, 2025: Frontend news brief covering CSS technology exploration, web tool developments, and industry news.

Figure Showcase

This week, the GSC Frieren figure I ordered last year finally arrived! Absolutely divine! The face sculpt looks great too. After this, I probably won’t be buying any more figures~