Friday Links 28: The Latest in JavaScript (Sep 19, 2025)
A curated roundup of fresh tools, articles, and community insights from the JavaScript ecosystem.
Welcome to Friday Links 28, your weekly roundup of what’s new and noteworthy in the JavaScript world. This edition features updates on libraries, insightful blog posts, and developer resources that stood out over the past week. Whether you’re a frontend developer, Node.js enthusiast, or someone tracking industry shifts, you’ll find something useful here.
NPM Supply Chain Attack: @ctrl/tinycolor and 40+ Packages Compromised
A major supply chain attack, dubbed Shai-Hulud, compromised @ctrl/tinycolor and 40+ npm packages. Malicious code exfiltrated cloud credentials and GitHub tokens. Developers should remove affected versions, rotate secrets, and audit CI/CD pipelines.
DeepSeek Trains R1 Model for Just $294K Using Nvidia H800s
Chinese AI firm DeepSeek revealed it spent only $294,000 training its R1 model — far below the hundreds of millions claimed by U.S. rivals. Using 512 Nvidia H800 accelerators, the company trained R1 in just 80 hours. The release of R1 earlier this year rattled tech markets, even denting Nvidia’s valuation. DeepSeek also acknowledged limited use of A100s and defended model distillation, stressing it makes AI more accessible despite U.S. accusations of copying OpenAI’s work.
Villager: Controversial Chinese AI Pentesting Tool Emerges
Security researchers uncovered Villager, an AI-driven pentesting framework published on PyPI and linked to the Chinese group Cyberspike. Marketed as a “successor to Cobalt Strike,” it integrates Kali Linux, 4,200+ AI prompts, and tools like Mimikatz and AsyncRAT. While it can support legitimate penetration testing, its automation makes it equally useful for large-scale cyberattacks. Experts warn that Villager highlights how quickly attackers are adopting AI to streamline exploitation and stealth.
📜 Articles & Tutorials
Behind The Scenes of Bun Install
An Interactive Guide to TanStack DB
How to Use Liquid Glass in React Native
Generate AWS Architecture Diagrams with Amazon Q
Building a React AI Agent: A Practical Guide for Developers
Build a Signal Clone with React Native and Stream - Part One, Part Two
Better CSS layouts: Time.com Hero Section
How to optimize your Next.js app with after()
How React Works Behind the Scenes
What a Simple JS Router Taught Me About Being a Senior Developer
Advanced App Router Routing Patterns (Next.js)
OpenTelemetry Collector: What It Is, When You Need It, and When You Don’t
⚒️ Tools
CodeDiagram - The visual note-taking tool inside your VSCode
Term.Everything - Run any GUI app in the terminal❗
mdream - ☁️ Convert any site to clean markdown & llms.txt. Boost your site’s AI discoverability or generate LLM context for a project you’re working with.
openapi-typescript-server - Codegen TypeScript servers from OpenAPI
Origin UI - Beautiful UI components built with Tailwind CSS and React.
port-kill - Port Kill helps you find and free ports blocking your dev work.
Advanced-Git - Collaborative cheatsheet for GIT
EvilCharts v1.0 - Animated & Interactive charts for your next project.
📚 Libs
ts-to-zod - Generate Zod schemas (v4) from Typescript types/interfaces.
react horizontal heatmap - A lightweight React component for rendering a horizontal heatmap. Perfect for timelines, activity charts, or health status indicators. Fully customizable colors, box size, and spacing.
Tricolore - v0.1.0 - A JavaScript/TypeScript library for visualizing ternary compositions with choropleth maps, heavily inspired by the R tricolore package.
Chartbrew - Open-source web platform used to create live reporting dashboards from APIs, MongoDB, Firestore, MySQL, PostgreSQL, and more 📈📊
ow - Function argument validation for humans
SVG guitar - Create beautiful SVG guitar chord charts
Feedsmith - Fast, all-in-one parser and generator for RSS, Atom, RDF, and JSON Feed, with support for Podcast, iTunes, Dublin Core, and OPML files.
terminal-image - Display images in the terminal
Mercur - Open-source multi-vendor marketplace platform for B2B & B2C. Built on top of MedusaJS. Create your own custom marketplace. 🛍️
manifest - Portable backend to ship fast.
JPL Open Source Rover Project - A build-it-yourself, 6-wheel rover based on the rovers on Mars!
⌚ Releases
Deno 2.5 Released: Permissions in the config file
Storybook 10 is a breaking maintenance release
uuid 13.0 - Generate RFC-compliant UUIDs in JavaScript
npm-publish v4.0.0, React on Rails 16.0.0 Release Notes, DayPicker 9.10,
TanStack Form 1.20, TanStack Query 5.89, node-soap 1.4
📺 Videos
Build An Agent in 10 mins with AI SDK 5 with Nico Albanese from Vercel, AI Demo Days
Handling 500M clicks with a $4 VPS
Dockerize Next.js App & Deploy To VPS In 2025
How To Handle Data Access Like a Senior Dev
99% of Developers Don’t Get Git Rebase
MCP-UI + TanStack = Next Gen Web
DevOps Full Course | Build and Deploy a Scalable Production Ready API
Build and Deploy a Realtime Chat App with React, Node.js, Socket.io
My Linux Ubuntu Setup for Software Development
🎤 Talks & Podcasts
No content this week 😢
🗞️ News & Updates
Claude can now create and edit files
Stupid Meter Benchmarks LLMs Like GPT-5, Claude Opus 4, and Gemini 2.5
A new tool called Stupid Meter continuously evaluates large language models in real time, including OpenAI GPT-5, Anthropic Claude Opus 4, and Google Gemini 2.5 Pro. Running over 140 live tests, it measures correctness, stability, efficiency, and error recovery, while also factoring in cost per successful task. The results are displayed in a dynamic dashboard, showing which models deliver the best balance of performance and price. The project is open source on GitHub.
ElevenLabs Launches Studio 3.0: Full Audio Editor for Video
ElevenLabs has upgraded its platform with Studio 3.0, turning it into a complete audio editor for video content. Users can now upload videos and edit soundtracks directly — from generating background music and voice synthesis to noise reduction and voice modulation. Available across all plans (with 10 minutes free monthly), the update positions ElevenLabs as an all-in-one post-production tool for creators on YouTube, TikTok, Reels, and beyond.
That’s a wrap for Friday Links 28. As always, JavaScript continues to evolve at a rapid pace, bringing both exciting innovations and fresh challenges. Explore the links, experiment with new tools, and share them with your community. We’ll be back next Friday with another roundup to keep you up to speed.