FE Bits Vol.8｜PyCon Trip, Cloudflare's Big Bug, and NPM Sandworm Alert | Weekly

This article has been machine-translated from Chinese. The translation may contain inaccuracies or awkward phrasing. If in doubt, please refer to the original Chinese version.

This newsletter aims to be updated every Sunday. The website is still under construction…
Currently, we recommend subscribing to this newsletter’s Quaily RSS via Folo.
WeChat Official Account: 前端周周谈 FE Bits. Click the “read original” link to view the source.
QQ discussion group 598022684 for casual frontend tech & life chats. You can also submit your own articles in the group. Feel free to join — it’s more of a fan community.
This newsletter is also open-sourced at fe-bits-weekly. Feel free to follow along.

Today is September 22, 2025, Monday. Last week was incredibly hectic, so the update got pushed to today.

Last Friday I took a day off and went to Shanghai, visiting the Shanghai Ocean Aquarium.

On Saturday I attended PyCon and met my idol Manjusaka — totally worth it. That evening my flight was delayed, from 8 PM all the way until 4 AM before I got home. What a nightmare.

“Don’t Use Next.js.webp”

Ecosystem & Community Updates

Deep dive into Cloudflare’s September 12, 2025 Dashboard and API Outage: A case where improper use of React useEffect caused Cloudflare’s dashboard to go down, reminding developers to handle side effects carefully.

The article provides a detailed review of the Cloudflare outage. The incident was triggered by a misconfigured useEffect dependency in the frontend React code, where high-frequency API calls compounded with server-side updates, causing an avalanche-style overload. Cloudflare shared the incident timeline, recovery measures, and future improvement plans including automated rollback, capacity management, request retry controls, and observability enhancements.

Quite the big bug in the frontend world (lol).

NPM security keeps delivering: Live Updates: Shai-Hulud, the Most Dangerous NPM Security Vulnerability Ever, Affecting CrowdStrike and Hundreds of Popular Packages

A highly destructive worm virus has appeared in the NPM ecosystem, named after the fictional sandworm from Dune, capable of automatically infecting other NPM packages. The sandworm works by automatically searching for various credentials including NPM credentials after infecting a developer’s device, then automatically tampering with packages the developer has write access to by injecting the worm. Over 178 software packages have been infected so far.

Meet the GitHub MCP Registry: The fastest way to discover MCP Servers: GitHub launches the official MCP Registry, a unified entry point for quickly discovering and using MCP servers.
New in Chrome 140: Chrome 140 adds the source property to ToggleEvent for tracking trigger elements, allows using counter() and counters() in CSS content alt text for improved accessibility, and supports the font-variation-settings descriptor in @font-face rules for finer font adjustments. These improvements enhance developer debugging, accessibility support, and typography control.
Help Us Raise $200k to Free JavaScript from Oracle | Deno: Deno launches a crowdfunding campaign, asking the community to support litigation challenging Oracle’s monopoly on the “JavaScript” trademark, aiming to return it to the public domain.
Safari 26 can now be installed independently, without needing a full macOS update.

Did you know that on macOS, you can update just to Safari 26, while remaining on macOS 15 Sequoia or even macOS 14 Sonoma? Go to > System Settings > General > Software Update. Under “Also Available” you’ll find Safari listed. Click “Update Now”.

Browserslist now supports Baseline feature matching.
Interop 2026 feature proposals are open, encouraging developers to submit standards for unified implementation (Propose a feature).
Chromium adds the ariaNotify() method, facilitating information delivery for assistive technologies.

Articles & Videos

You Don’t Need Animations: Discusses animation use cases and design principles, emphasizing thoughtful use rather than overuse.
Apple has a private CSS property to add Liquid Glass effects to web content: The author discovered while researching WebKit changelogs that Apple is introducing a private CSS property -apple-visual-effect that can apply Liquid Glass effects to web content. While this feature currently can’t be used in Safari or through regular WKWebView unless the private setting useSystemAppearance is enabled — meaning developers can’t directly use it for App Store apps — this change reveals that Apple is already using it internally, showing that webview integration in system apps goes deeper than users realize. This confirms what’s called “The Toupee Theory of In-App Webviews” — good webviews are used unnoticed, while bad ones get noticed by users.
On the Evolution of AI Programming Tools and Vibe Coding: I really agree with the perspective in this article. Vibe Coding isn’t a great name — I prefer to call AI-assisted programming “Context Coding.”
Low and Mid-Tier Mobile for the Real World (2025): Explores device selection recommendations and methodology for web performance testing on real low-end and mid-range phones in 2025.
Oh no, not again… a meditation on NPM supply chain attacks: Reflections on the current state and history of NPM software supply chain attacks.
How to keep package.json under control: Explores how to manage and streamline package.json dependencies in complex React applications, proposing a series of dependency governance methods and tools.
Fetch streams are great, but not for measuring upload/download progress: Explores the fetch API’s streaming upload/download support and its limitations, especially why it’s not suitable for measuring progress.
Replace Your Animated GIFs with SVGs: An in-depth introduction on how to replace traditional GIFs with SVG animations for smaller file sizes and better scalability.
While you’re fixing the fun stuff, fix the important stuff too: While fixing fun little issues, you might as well tackle the more important underlying problems too.

CSS New Features

Modern CSS You Need to Know (2025 Edition): This article surveys the latest developments in modern CSS for 2025, including animating to auto, @function, if(), text-wrap, linear() easing, shape(), enhanced attr(), reading-flow, and more. These new features mostly improve style abstraction capabilities, responsive design flexibility, and typography controllability, while revealing the current support landscape where Chrome leads and Safari/Firefox follow, along with feasibility suggestions for polyfills and progressive enhancement.
Yet Another JS Interaction Eliminated: Navigation Menu Matching with scroll-target-group and
: Explains how to use pure CSS scroll-target-group and :target-current to implement scroll-navigation linkage without additional JS. I’ve seen quite a few English blog posts analyzing this, and it’s nice to finally have one in Chinese from the great Zhang Xinxu.

Fun Projects & Tools

linear() easing generator: Converts easing functions from JavaScript or SVG into CSS linear() format, enabling complex animation effects like bounce, spring, elastic, etc., without JavaScript. I found this tool from the article “Using CSS linear() to achieve more realistic physics animations.”
bahdotsh/wrkflw: Validate and Run GitHub Actions locally: A CLI tool for running and validating GitHub Actions locally.
cchanxzy/react-currency-input-field: React component for an input field: A lightweight React currency input component supporting various formatting and internationalization configurations.
webpro-nl/knip: An analysis tool that helps JavaScript/TypeScript projects detect unused files, dependencies, and exports. Found this in the article above.
WisPaper is a free academic AI assistant developed by Fudan University, designed for researchers. It integrates AI academic search, local literature management, precise translation, intelligent conversation, and core summarization to help researchers quickly retrieve high-quality literature worldwide, break language barriers, extract key points from abstracts, and greatly improve research efficiency. (Discovered via Appinn)
The simplest ever online FFmpeg! Use directly in the browser + AI understands natural language, no downloads or command line needed: An FFmpeg tool usable through the browser, supporting natural language operations and local processing. Online at: https://vidmix.app/ffmpeg-in-plain-english/
Volume: A 3D OKLCH Color Palette Creator: A 3D color selection tool that transforms the color palette experience into spatial exploration.

Gallery Button: A super cool pure CSS gallery preview animation with a paper folding/unfolding effect.

[WebGL] Refraction cursor over video: A shader-based liquid glass refraction cursor effect.

Ecosystem Updates

pnpm 10.16 adds the minimumReleaseAge setting to delay dependency installation, avoiding the immediate installation of potentially compromised versions. You can use minimumReleaseAgeExclude to exclude specific packages (like webpack) from this restriction to always get the latest version. With recent attacks on popular packages becoming frequent, pnpm uses this to reduce the risk of malicious version proliferation.
Lynx 3.4 officially released: Brings HarmonyOS support, new developer tools, input component and animation enhancements, and more.
WebKit Features in Safari 26.0: Safari 26.0 adds 75 new features, 3 deprecations, and 171 other improvements covering CSS, WebGPU, Digital Credentials API, visionOS immersive media, SwiftUI integration, and more.
Node.js v24.8.0 Release: Node.js releases v24.8.0 (Current) with important feature updates and fixes.
- Introduces debugging support for HTTP/2 network calls in Chrome DevTools.
- Adds multiple Web Cryptography algorithms to the crypto module (such as Ed448, ML-DSA, KMAC, Argon2, SLH-DSA, etc.)
- Adds CPU profile API for workers.

Refs

React Status Issue 444: September 17, 2025: This issue covers React community updates, dependency management best practices, AI code review tools, frontend new releases, and the latest developments in the JavaScript ecosystem.
Node Weekly Issue 593: September 16, 2025: This issue focuses on Node.js and ecosystem updates, including package management security, Electron and QUIC progress, new book and tutorial recommendations, and tool and community developments.
Frontend Focus Issue 709: September 17, 2025: The latest developments, technical articles, and tool resources in the frontend field.
Web Weekly #168: A week of frontend and web technology developments covering CSS, accessibility, browser new features, and tool recommendations.
CodePen Spark: A curated CodePen selection covering CSS animations, WebGL effects, frontend new APIs, and development practice sharing.