This week feels like a full-stack reality check: Gergely Orosz reports that AI is amplifying team culture (good and bad), while Cloudflare shows frontier models already chaining exploits and reviewing attacks better with multi-agent setups.
The ecosystem drama continues: SafeDep tracks 314 compromised npm packages, npm responds with staged publishing, and Andrew Nesbitt explains how open-source projects quietly become zombie dependencies.
On the practical side, Julia Evans makes a strong case for semantic HTML + native CSS, uxdesign.cc reminds AI teams that vague spinners are not UX strategy, and the database/tooling corner is unusually strong: pgsqlite, TypeORM 1.0, and Kanel 4.0 all make modern TS+SQL workflows less painful.
Bonus watch: Martin Fowler and Kent Beck reflecting on 30 years of Agile is a nice antidote to pure AI hype cycles. Also worth noting: Claw Patrol pushes agent-level security controls in the runtime itself, which is exactly where this should be heading.
Enjoy!
Signup here for the newsletter to get the weekly digest right into your inbox.
Find the 12 highlighted links of weeklyfoo #138:
AI's Impact on Software Engineers in 2026: Part 2 #
by Gergely Orosz
Survey of 900+ engineers β AI amplifies existing culture, codebase quality is dropping while management focuses on output, and junior devs are struggling most
π Read it!, ai, engineering
by Julia Evans
Adopting semantic HTML and native CSS β component files, CSS nesting, and grid layouts without the framework dependency
π° Good to know, css, frontend
314 npm Packages Compromised in New Supply-Chain Wave #
by SafeDep Team
The mini Shai-Hulud class of supply-chain attacks returns β 314 packages including the antv family and timeago.js targeted in the latest wave
π° Good to know, security, npm, javascript
What Claude Mythos Showed Cloudflare #
by Cloudflare
Cloudflare CSO reports on Project Glasswing findings β exploit chain construction, proof generation, and adversarial multi-agent review that outperforms single-agent verification
π° Good to know, ai, security
Dumb Ways for an Open Source Project to Die #
by Andrew Nesbitt
Maintainer burnout, funding gaps, and broken tech turn still-used packages into zombies β listed everywhere, quietly dangerous for all downstream dependents
π° Good to know, open-source, engineering
The Waiting Problem in AI Products #
by uxdesign.cc
AI products ignore decades of research on wait time β users need progress indicators, ETAs, and detailed logs instead of vague spinners that force people to invent their own coping behaviors
π° Good to know, ai, design, ux
Staged Publishing for npm Packages #
by npm
npm's new staged publishing model gives packages a review period before going live β part of the npm 11.15.0 release
π° Good to know, npm, javascript
by Eran Sandler
Postgres wire-protocol adapter for SQLite β use psql, pgAdmin, and standard Postgres drivers against an SQLite database
π§° Tools, sqlite, postgres, tools
by TypeORM Team
TypeScript-first ORM reaches 1.0 after years on 0.3.x β INSERT INTO SELECT support, cross-driver transaction isolation levels, and smoother PostgreSQL enum migrations
π§° Tools, typescript, database, tools
by Kristian Dupont
Inspects your Postgres database and generates TypeScript types for use with Knex, Zod, or Kysely
π§° Tools, typescript, postgres, tools
by Deno Team
Security firewall for Deno agents β restricts network access and subprocess execution to prevent agent overreach
π§° Tools, security, ai, tools
Tech Truth: Agile Evolution & the Future of SW Engineering #
by Martin Fowler, Kent Beck
Martin Fowler and Kent Beck reflect on 30 years β AI as a patient tutor, what Extreme Programming got right, and why people skills still matter more than tools
πΊ Videos, engineering, agile
Want to read more? Check out the full article [here](https://weeklyfoo.com/foos/foo-138/).
To sign up for the weekly newsletter, visit [weeklyfoo.com](https://weeklyfoo.com).