Supply Chains, Zombie OSS, and Agent Firewalls

Gergely Orosz reports that AI is amplifying team culture for better or worse, while Cloudflare demonstrates frontier models chaining exploits and outperforming single-agent verification in security reviews. SafeDep tracked 314 compromised npm packages, prompting npm's staged publishing response, and Andrew Nesbitt documented how open-source projects become zombie dependencies. Julia Evans made a case for semantic HTML with native CSS, and Deno's Claw Patrol introduced agent-level security controls directly in the runtime.

This week feels like a full-stack reality check: Gergely Orosz https://newsletter.pragmaticengineer.com/p/ai-impact-on-software-engineers-part-2 reports that AI is amplifying team culture good and bad , while Cloudflare https://blog.cloudflare.com/cyber-frontier-models/ shows frontier models already chaining exploits and reviewing attacks better with multi-agent setups. The ecosystem drama continues: SafeDep https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/ tracks 314 compromised npm packages, npm https://docs.npmjs.com/staged-publishing responds with staged publishing, and Andrew Nesbitt https://nesbitt.io/2026/05/19/dumb-ways-for-an-open-source-project-to-die.html explains how open-source projects quietly become zombie dependencies. On the practical side, Julia Evans https://jvns.ca/blog/2026/05/15/moving-away-from-tailwind--and-learning-to-structure-my-css-/ makes a strong case for semantic HTML + native CSS, uxdesign.cc https://uxdesign.cc/the-waiting-problem-in-ai-products-e7c11fd5a825 reminds AI teams that vague spinners are not UX strategy, and the database/tooling corner is unusually strong: pgsqlite https://github.com/erans/pgsqlite , TypeORM 1.0 https://typeorm.io/docs/releases/1.0/release-notes/ , and Kanel 4.0 https://github.com/kristiandupont/kanel all make modern TS+SQL workflows less painful. Bonus watch: Martin Fowler and Kent Beck https://www.youtube.com/watch?v=ii rLjQfjp0 reflecting on 30 years of Agile is a nice antidote to pure AI hype cycles. Also worth noting: Claw Patrol https://deno.com/blog/clawpatrol pushes agent-level security controls in the runtime itself, which is exactly where this should be heading. Enjoy Signup here https://weeklyfoo.com for the newsletter to get the weekly digest right into your inbox. Find the 12 highlighted links of weeklyfoo https://weeklyfoo.com 138: AI's Impact on Software Engineers in 2026: Part 2 by Gergely Orosz Survey of 900+ engineers — AI amplifies existing culture, codebase quality is dropping while management focuses on output, and junior devs are struggling most 🚀 Read it , ai, engineering by Julia Evans Adopting semantic HTML and native CSS — component files, CSS nesting, and grid layouts without the framework dependency 📰 Good to know, css, frontend 314 npm Packages Compromised in New Supply-Chain Wave by SafeDep Team The mini Shai-Hulud class of supply-chain attacks returns — 314 packages including the antv family and timeago.js targeted in the latest wave 📰 Good to know, security, npm, javascript What Claude Mythos Showed Cloudflare by Cloudflare Cloudflare CSO reports on Project Glasswing findings — exploit chain construction, proof generation, and adversarial multi-agent review that outperforms single-agent verification 📰 Good to know, ai, security Dumb Ways for an Open Source Project to Die by Andrew Nesbitt Maintainer burnout, funding gaps, and broken tech turn still-used packages into zombies — listed everywhere, quietly dangerous for all downstream dependents 📰 Good to know, open-source, engineering The Waiting Problem in AI Products by uxdesign.cc AI products ignore decades of research on wait time — users need progress indicators, ETAs, and detailed logs instead of vague spinners that force people to invent their own coping behaviors 📰 Good to know, ai, design, ux Staged Publishing for npm Packages by npm npm's new staged publishing model gives packages a review period before going live — part of the npm 11.15.0 release 📰 Good to know, npm, javascript by Eran Sandler Postgres wire-protocol adapter for SQLite — use psql, pgAdmin, and standard Postgres drivers against an SQLite database 🧰 Tools, sqlite, postgres, tools by TypeORM Team TypeScript-first ORM reaches 1.0 after years on 0.3.x — INSERT INTO SELECT support, cross-driver transaction isolation levels, and smoother PostgreSQL enum migrations 🧰 Tools, typescript, database, tools by Kristian Dupont Inspects your Postgres database and generates TypeScript types for use with Knex, Zod, or Kysely 🧰 Tools, typescript, postgres, tools by Deno Team Security firewall for Deno agents — restricts network access and subprocess execution to prevent agent overreach 🧰 Tools, security, ai, tools Tech Truth: Agile Evolution & the Future of SW Engineering by Martin Fowler, Kent Beck Martin Fowler and Kent Beck reflect on 30 years — AI as a patient tutor, what Extreme Programming got right, and why people skills still matter more than tools 📺 Videos, engineering, agile Want to read more? Check out the full article here https://weeklyfoo.com/foos/foo-138/ . To sign up for the weekly newsletter, visit weeklyfoo.com https://weeklyfoo.com .