JavaScript: Weekly Summary (September 08-14, 2025)

Key trends, opinions and insights from personal blogs

This week’s JavaScript chatter felt like three conversations at once. One about safety and trust. One about when not to use JavaScript at all. And one about weird, bright corners where JS meets WebAssembly and fancy CSS. I would describe them as three threads tugging the same sweater. You pull one, the others move.

The vibe: different roads to the same goal

To me, it feels like folks want two things at the same time.

  • Fewer surprises. Less spooky magic. More honest code.
  • Still keep the good stuff: speed, subtle UI polish, strong security.

I’d say the tension is not new. But the examples this week hit close to the bone. Like, right in the build scripts, right in the worker boot timing, right in your hover effects.

There’s also a gentle nudge running through all of it: if the browser can do it on its own, maybe let it. If an async load could drop a message, don’t pretend it won’t. If your package access is locked down, check it again.

Then there’s a big, flashing sign about supply chains. You know this already. But it came back around with a sting.

Security got loud, again, because money got involved

Brian Krebs wrote about 18 popular npm packages that got compromised through phishing. The attackers lured a developer into sharing a two-factor code. Then they pushed malicious changes to steal crypto. It wasn’t subtle. It didn’t need to be.

I would describe the post as a reminder that the weakest link is often not the code. It’s someone having a long day, opening an email at the wrong time, and typing a code into a bad form. The part that sticks is how fast the bad change can spread. A package update looks routine until it doesn’t.

A few points stand out:

  • The attack path is boring on purpose. Phish. Grab the token. Slip in code. Hope nobody looks until money goes missing.
  • Two-factor is good, but it’s not magic. If a token can be phished, it will be.
  • The payload targeted crypto. That’s the money-magnet angle. But it could be anything. Credentials. Environment keys. You name it.

To me, it feels like seeing someone leave the back door unlocked, not because they’re careless, but because the delivery person was due any minute. Then someone else walks in. I know, it’s an old story. But in npm land, the spread is instant and the guests are thousands.

The post hints at better auth, stronger checks, and more discipline with package publishing. This part is hard, because the chain is long and everyone is in a hurry. Still, there’s a call for things like:

  • Better identity proof at publish time.
  • Stricter machine-to-machine checks, not just one-time codes.
  • Thinking in “blast radius” terms. If a token goes bad, how much damage can it do? Can we shrink the zone?

Not glamorous, but important. It reminded me of those small towns where everyone leaves their doors unlocked. That works until the day it doesn’t, and then it’s a whole different town.

The simplicity drum: just use HTML, like it’s 2009 and that’s okay

Chris Ferdinandi showed up with a vibe that’s very “cut the nonsense,” and I mean that in a good way. The post says many things we do with JavaScript could be HTML and server logic instead. And not just for nostalgia. For speed. For accessibility. For fewer moving parts.

I’d say the examples are what land the punch. Forms that don’t need JS. API-like pages that can just be HTML responses. Buttons that are links. Links that are links. Honest elements doing honest work.

The duo of lines I kept repeating in my head: use JavaScript to enhance. Not to replace. Build on a base that works without it. Let progressive enhancement be more than a slogan.

Why this matters right now:

  • Sites are slow. Many are slow because they rebuild the web inside the web. Routing, templating, data fetching, all on the client, for stuff that could be a simple HTML response.
  • Devices vary wildly. Not everyone has a beefy laptop. Some folks are on cheap phones with flaky connections. HTML loads. JS might not—or might cost too much.
  • Accessibility gets better with native elements. The browser has decades of baked-in behavior. Use it.

You don’t need to swear off JS. Chris doesn’t. It’s more like: stop using a cordless drill to butter toast. It works. Kinda. But it’s silly and it leaves a mess.

The phrasing that stuck with me: “just use HTML.” It sounds blunt. Maybe a little cheeky. But the code comparisons make the case. If you’ve ever built a small feature, then watched the bundler crawl and the lighthouse score fall, you might feel seen here.

I would describe this as the anti-hype reminder we need every few weeks. Not as a rulebook. But as a sanity check. You can do less. You’ll probably like it.

WebAssembly, but from a different angle: a Smalltalk VM that imprints itself

Then there’s thisContext, swinging from the rafters with a project that’s both brainy and practical. It’s the next phase of a Smalltalk virtual machine called Catalyst, targeting WebAssembly GC. The post walks through how they simulate the VM in Smalltalk, ensure types through the sim, and then generate the WASM GC version from that simulation.

I’d describe it as bootstrapping with a mirror. The system teaches itself what it is by running a simulation and then stamping its behavior into the generated code. The phrase that popped up in my mind: imprinting. Like baby ducks. You run the VM in one world, and it imprints behaviors to build a VM in another.

Key bits in simple terms:

  • They use a simulation to keep type info honest. So when code becomes WebAssembly GC, it’s not guessing.
  • Minimal object memory is part security, part speed. Less surface. Less chaos. Faster lookups.
  • Type annotations keep the bridge sturdy between the simulation and the generated output.
  • Previous tools show up again, like the Epigram parsing framework. It’s not a new island. It’s an archipelago.
  • Next step includes object memory snapshots. That’s big for persistence, fast boot, testing, and general peace of mind.

To me, it feels like a careful craftsman setting up a jig before cutting wood. Build the jig. Check the lines. Then run the workpiece through. You get repeatable patterns and less drama later.

Why does this matter to JS folks? Because the web isn’t just JavaScript anymore. WASM GC means more languages can feel native in the browser. You still need JS as glue, yes, but the heavy lifting can happen in a shape that feels safer and faster. This type-safe pipeline is one way to get there without constantly touching the hot stove.

Also, the security angle whispers across. Smaller object memory. Clearer types. It’s less room for bugs to hide. It’s not a guarantee. But it’s a good habit.

If you like reading about systems that build themselves, and you don’t mind a bit of theory with your coffee, go peek at thisContext. The ideas are chewy in a nice way.

Top-level await can bite, especially when workers and Wasm walk in

Nick Babcock takes on top-level await in web workers when using ES6 imports to load WebAssembly. I’d describe the tone as friendly but firm: watch your step. The main gotcha is message loss. You think your worker is ready. You post a message. But your Wasm module is still initializing thanks to the top-level await in an import. Message goes poof. No warning, just a missed handshake.

This is one of those bugs that smells like a race condition and tastes like one too. It only shows up on cold loads or bad networks or when you’re tired. Then it vanishes when you log things. It’s like trying to catch fog with a fork.

Nick suggests:

  • Avoid top-level await in this setup. Prefer dynamic imports you can await in a controlled spot.
  • Make initialization explicit. Have a “ready” signal. Don’t pretend a worker is ready until it says so.
  • Be honest about async boundaries. If something takes time, name it. Wire it. Wait for it.

I’d say the critique of bundlers is fair. They make a lot of things nice. But sometimes they hide the timing so well that you don’t see the moving parts. Then you ship and the first 2% of your users hit a cold cache and an unlucky tick, and now you have a bug report written in sadness.

There’s a theme here that echoes the security post and the HTML post: don’t trust invisible magic. If something important happens, measure it, wire it, and make the flow clear in code. Especially in workers, where the script starts, does a bunch of stuff on import, and you’re off making tea while messages fall on the floor.

If this is your world, have a look at Nick Babcock’s examples. The code shows the failure, which is the best teacher. Then it shows the fix, which is mostly about being intentional.

Fancy UI that still plays nice: the follow-the-leader effect with CSS and a nudge of JS

Una Kravets brought some joy with a technique called “follow-the-leader.” It’s a UI effect where a little follower element moves in sync with your interactions. Hover here, it glides there. Click that, it settles. Scroll, and markers update. It’s smooth. It’s useful. It’s also, weirdly, modest.

I’d describe the post as a love letter to CSS doing the heavy lifting, with just enough JavaScript to make it lively. The demos show:

  • A hover demo where the follower tracks your focus across items.
  • An action bar pattern where the active item has a clear visual buddy.
  • Scroll markers that move like a train on fixed rails.

The trick is keeping state and movement in CSS where possible. JS reads or sets the key bits, but not every pixel of motion. So performance behaves. Accessibility behaves. You get delight without cooking the GPU on a toaster laptop.

To me, it feels like good seasoning. A pinch of JS to wake up a strong CSS base. Not the other way around. Also, there’s a nod to a peer who inspired the technique. That’s nice to see—nobody builds alone.

If you’re into micro-interactions that don’t break the bank, you’ll like this. It’s the opposite of those heavy UI libraries where you import 500kb to move a carat under a tab. This is lean and visible. If it breaks, you can fix it with a little patience and a decent DevTools session.

Three threads, one knot: less magic, more intention

What ties all these pieces, at least to my mind, is a hunger for clarity.

  • Security wants clearer handshakes and safer defaults.
  • HTML-first wants simpler paths that age well.
  • Worker/Wasm wants transparent async flows instead of silent waits and dropped messages.
  • CSS/JS interplay wants a small, honest contract: who does what, and when.

I’d say that’s a lot to ask, but it’s reasonable. The web has grown a thick coat of tooling, some of it brilliant, some of it a bit damp. This week’s posts all point to peeling back a layer so we can see the wood grain again.

The little arguments hiding in the big ones

A few subtle disagreements appeared, or at least different ways to hold the same stick.

  • “Just use HTML” can sound like “never use JS.” It’s not. It’s “prove you need it.” Then bring it in.
  • WebAssembly can look like the opposite of simpler code. But the thisContext post shows a route where safety and structure are built in early, and then compiled forward. Different path to the same goal.
  • Top-level await is a lovely language feature for some cases. In workers plus Wasm, it’s treacherous. You can still use async, but put it in explicit steps. Different cravings, different kitchens.
  • UI polish can be done with heavy JS. Una Kravets shows you can get the same delight with CSS as the engine and JS as the switch.

I would describe this week as a polite tug-of-war between “do less” and “do it right.” Sometimes those are the same thing.

Practical bits you can steal on a Tuesday

Some tiny, very human steps to take, based on the posts:

  • If your worker does imports with top-level await, add a quick test. Send a message right away and see if it’s received. If not, consider dynamic import with explicit init. Give your worker a ready promise and post messages after that. Sounds fussy. It isn’t.
  • Look for spots where a simple form post could replace a JS fetch. Try a day of “can the server render this?” You might like the calm.
  • Review your package publishing path. If a token gives full write power, can you break that into smaller scopes? If an email can trick you once, can you add a second check? A slow, annoying step is sometimes cheaper than a very fast exploit.
  • For UI movement, try a CSS-first approach. Use transform and variables. Let JS set the variable. That’s a nice split of concerns. It also keeps the frame rate smooth on potato hardware.
  • If you’re playing with WASM GC, keep a dev diary of type assumptions. Turn it into annotations. Then into checks. Then into code generation if that’s your vibe. Your future self will send you a gift card.

A strange harmony: minimalism meets machinery

There’s a small paradox here that I liked. The posts keep saying “less.” Less JS for core UX, less hidden magic in async start-up, fewer moving bits in your supply chain. But then thisContext shows a complex pipeline with a simulator, type annotations, and a code generator for WASM GC.

Is that “more,” not “less”? Maybe. But I’d say it’s more like spending complexity upfront to save complexity downstream. You build a jig so every cut after that goes straight. You preheat the oven so the cookies bake even. You write the tight, typed pipeline so the runtime is calm and predictable.

Meanwhile, the HTML-first and CSS-led patterns feel like the other end of the same rope. You cut code, you lift performance, you reduce the points of failure. The net result is the same: less runtime chaos.

This is the part that sounds philosophical, but it’s also very practical. Most teams live closer to the HTML/JS/CSS end than the WASM GC end. But both ends are trying to tame the mid-layer where surprises breed: the bundler, the worker boot, the cross-origin fetch, the dependency tree.

Notes on tone, craft, and how folks explain things

Posting styles this week had a nice spread:

  • Brian Krebs speaks with that “I’ve seen this movie” energy. Clear, understated alarm bells. If you’re a decision maker, it’s the kind of post that makes you ask your team uncomfortable questions in a good way.
  • Chris Ferdinandi writes like someone helping you move house. No fluff. Lots of “lift here, not there” and “you don’t need that vintage couch; it’s just heavy.”
  • Nick Babcock shows the bug, doesn’t scold, and gives the fix. The sort of post you bookmark and send to your future self when a flaky test starts flaking.
  • Una Kravets is equal parts teacher and DJ. Here’s a track. Feel the beat. Now change the tempo with CSS variables. Nice.
  • thisContext writes like a careful lab notebook. It’s not breezy, but it’s honest and shows the scaffolding. If you enjoy the smell of wood glue and precise clamps, you’ll vibe.

Why this week’s mix matters beyond the headlines

I’d say the security story could have drowned everything else. It’s loud. Money was at risk. But the quieter posts help prevent the next breach too, in their own way.

  • If you use less JS, you ship fewer dependencies. Fewer dependencies, fewer supply chain risks. Not zero. Fewer.
  • If your async startup is explicit, you can monitor it, time it, and know when things go weird. Observability thrives on explicit events.
  • If your VM build pipeline encodes types and memory rules early, you narrow the room for undefined behavior later.
  • If your UI is CSS-driven, you reduce JS logic in weird corners where state gets lost and bugs breed.

To me, it feels like a plan. Not a perfect one. But better than shrugging and hoping nothing catches fire.

Little analogies that wouldn’t leave me alone

  • Top-level await in a worker is like taking a phone call as you’re opening the shop. Customers walk in. Nobody at the counter. They tap the bell. No answer. Some leave. Not great.
  • Overusing JS for HTML jobs is like microwaving tea. You can do it. But it tastes like regret.
  • The follow-the-leader effect is a well-trained sheepdog. The flock moves, the dog moves. It looks effortless because someone taught it when to sprint and when to glide.
  • The Smalltalk-to-WASM pipeline is like tracing your drawing onto sturdy paper before inking. It’s slower at first. But the final lines are clean, and you throw away fewer pages.
  • The npm phishing angle is leaving the spare key under the doormat, except the internet is a street where ten thousand people check doormats all day.

Soft disagreements, but with polite edges

I kept thinking: would the HTML-first crowd and the WASM crowd hang out? I think yes, actually. They both want predictable systems. They both want less runtime drama. They differ in flavor—one trims code, the other structures it hard. But they nod at each other across the table.

This week also nudged the bundler conversation. It’s not that bundlers are bad. It’s that some defaults lull us into habits where we forget the real shape of the runtime. Workers are separate worlds. Imports do work. Wasm can take time. Costs don’t vanish because we don’t see them.

So the tiny message is: turn on the lights. If imports are doing heavy lifting, show a spinner or block messages until ready. If CSS is doing heavy lifting, great—document how the variables map to state. If your publishing step has keys to the kingdom, put that step in a high tower with fewer doors.

What I’d do next week, if this stuck

  • Pick one page in your app and strip it to HTML plus a smidge of JS. Ship it to a test group. Measure. See what breaks. Then decide with data.
  • Audit worker initialization flows. If you can’t explain, out loud, when it’s safe to post the first message, write that handshake into code.
  • If you own an npm package, turn on every annoying security setting you can stand. Then add one more. Yes, it’s tedious. Do it anyway.
  • Try a small “follow-the-leader” UI for a tab bar or a menu. Keep logic minimal. Let CSS do the motion.
  • If you dabble in WASM, experiment with a tiny typed layer. Even if you don’t ship it, the practice of clarifying types may spill back into your JS.

The grain of the web this week

I’d describe the web’s grain—the way it wants to be worked with—as leaning toward honesty:

  • Honest HTML for content.
  • Honest JS for enhancements and glue.
  • Honest async with visible steps.
  • Honest builds that know where the code comes from and who touched it.

It’s less glamorous than a shiny “10x faster” headline. But it’s the kind of craft that makes you sleep. When the pager goes off less often, you get Sundays back. That’s worth a lot.

Quick peeks you might enjoy, without giving the whole game away

  • Brian Krebs: if you think your team wouldn’t fall for a phish, read this and then quietly schedule a tabletop exercise. It’s not about blame. It’s about rehearsing the bad day before it happens.
  • Chris Ferdinandi: the side-by-side code bits are the selling point. Won’t spoil them. They’re short and tidy.
  • Nick Babcock: the broken worker snippet is the aha moment. The fix is simple once you see it.
  • Una Kravets: the demos feel like a trick you’ll use twice this month. It’s not eye candy. It’s practical polish.
  • thisContext: if you like compilers, interpreters, and the new WASM GC world, this reads like a progress log that’s actually fun. The imprinting metaphor carries.

A small tangent that loops back

I kept thinking about progressive enhancement as a culture, not just a technique. It asks you to build something that works in the worst case and then gets nicer. That maps straight to the security story. If the worst case is “we ship nothing” until we’re certain, that’s safer than “we ship with half-initialized workers and hope.” And it maps to the WASM story, where the worst case is “the types don’t line up, so we stop.” Not “we guess and push it to prod.”

It’s the same spirit. It shows up everywhere if you look.

The week’s takeaway, said plainly

I’d say: use less JavaScript for the base, use more honesty for the async bits you keep, use strong locks for the code you publish, and let CSS handle motion when it can. If you’re going big with WASM, build the rails first, then run the train.

Feels simple when written like that. It’s not, day to day. But the direction is clear. Like those little blue signs on the motorway telling you which lane not to miss. If you’ve ever taken the wrong exit and had to circle back three miles, you know the feeling.

That’s the flavor of JavaScript land this week. Less mystery. More craft. And a few neat tricks worth stealing, no shame in that.

Next
Previous