# Supply Chains, Zombie OSS, and Agent Firewalls > Source: > Published: 2026-05-29 06:36:57+00:00 This week feels like a full-stack reality check: [Gergely Orosz](https://newsletter.pragmaticengineer.com/p/ai-impact-on-software-engineers-part-2) reports that AI is amplifying team culture (good and bad), while [Cloudflare](https://blog.cloudflare.com/cyber-frontier-models/) shows frontier models already chaining exploits and reviewing attacks better with multi-agent setups. The ecosystem drama continues: [SafeDep](https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/) tracks 314 compromised npm packages, [npm](https://docs.npmjs.com/staged-publishing) responds with staged publishing, and [Andrew Nesbitt](https://nesbitt.io/2026/05/19/dumb-ways-for-an-open-source-project-to-die.html) explains how open-source projects quietly become zombie dependencies. On the practical side, [Julia Evans](https://jvns.ca/blog/2026/05/15/moving-away-from-tailwind--and-learning-to-structure-my-css-/) makes a strong case for semantic HTML + native CSS, [uxdesign.cc](https://uxdesign.cc/the-waiting-problem-in-ai-products-e7c11fd5a825) reminds AI teams that vague spinners are not UX strategy, and the database/tooling corner is unusually strong: [pgsqlite](https://github.com/erans/pgsqlite), [TypeORM 1.0](https://typeorm.io/docs/releases/1.0/release-notes/), and [Kanel 4.0](https://github.com/kristiandupont/kanel) all make modern TS+SQL workflows less painful. Bonus watch: [Martin Fowler and Kent Beck](https://www.youtube.com/watch?v=ii_rLjQfjp0) reflecting on 30 years of Agile is a nice antidote to pure AI hype cycles. Also worth noting: [Claw Patrol](https://deno.com/blog/clawpatrol) pushes agent-level security controls in the runtime itself, which is exactly where this should be heading. Enjoy! Signup [here](https://weeklyfoo.com) for the newsletter to get the weekly digest right into your inbox. Find the 12 highlighted links of [weeklyfoo](https://weeklyfoo.com) #138: ## AI's Impact on Software Engineers in 2026: Part 2 by Gergely Orosz Survey of 900+ engineers — AI amplifies existing culture, codebase quality is dropping while management focuses on output, and junior devs are struggling most 🚀 Read it!, ai, engineering by Julia Evans Adopting semantic HTML and native CSS — component files, CSS nesting, and grid layouts without the framework dependency 📰 Good to know, css, frontend ## 314 npm Packages Compromised in New Supply-Chain Wave by SafeDep Team The mini Shai-Hulud class of supply-chain attacks returns — 314 packages including the antv family and timeago.js targeted in the latest wave 📰 Good to know, security, npm, javascript ## What Claude Mythos Showed Cloudflare by Cloudflare Cloudflare CSO reports on Project Glasswing findings — exploit chain construction, proof generation, and adversarial multi-agent review that outperforms single-agent verification 📰 Good to know, ai, security ## Dumb Ways for an Open Source Project to Die by Andrew Nesbitt Maintainer burnout, funding gaps, and broken tech turn still-used packages into zombies — listed everywhere, quietly dangerous for all downstream dependents 📰 Good to know, open-source, engineering ## The Waiting Problem in AI Products by uxdesign.cc AI products ignore decades of research on wait time — users need progress indicators, ETAs, and detailed logs instead of vague spinners that force people to invent their own coping behaviors 📰 Good to know, ai, design, ux ## Staged Publishing for npm Packages by npm npm's new staged publishing model gives packages a review period before going live — part of the npm 11.15.0 release 📰 Good to know, npm, javascript by Eran Sandler Postgres wire-protocol adapter for SQLite — use psql, pgAdmin, and standard Postgres drivers against an SQLite database 🧰 Tools, sqlite, postgres, tools by TypeORM Team TypeScript-first ORM reaches 1.0 after years on 0.3.x — INSERT INTO SELECT support, cross-driver transaction isolation levels, and smoother PostgreSQL enum migrations 🧰 Tools, typescript, database, tools by Kristian Dupont Inspects your Postgres database and generates TypeScript types for use with Knex, Zod, or Kysely 🧰 Tools, typescript, postgres, tools by Deno Team Security firewall for Deno agents — restricts network access and subprocess execution to prevent agent overreach 🧰 Tools, security, ai, tools ## Tech Truth: Agile Evolution & the Future of SW Engineering by Martin Fowler, Kent Beck Martin Fowler and Kent Beck reflect on 30 years — AI as a patient tutor, what Extreme Programming got right, and why people skills still matter more than tools 📺 Videos, engineering, agile Want to read more? Check out the full article [here](https://weeklyfoo.com/foos/foo-138/). To sign up for the weekly newsletter, visit [weeklyfoo.com](https://weeklyfoo.com).