Deno Deploy Makeover, Vitest 4, Nuxt 4.2, and Next.js 16 (Oh, and React Native 0.82) | News | Ep 41
Download MP3Welcome to TypeScript FM, the friendly podcast for TypeScript developers where we bring you news, updates, and interviews from the community with plenty of tomfoolery sprinkled in. I'm your host, Kamran Ayub, and I'm joined by my cohost and best bud, Erik Onarheim. Together, we're the two TypeScript fools. Welcome to the show.
Erik Onarheim:Welcome to the show. Welcome to the show. How's it going, Kamran?
Kamran Ayub:I'm doing good. How are you?
Erik Onarheim:I'm doing okay. I've been running a lot lately. I've ran every day for the last six days.
Kamran Ayub:Oh, that's fun. Even in the rain?
Erik Onarheim:Yep. Even in the rain. But it's been like it's been like a tiny bit of rain when I've been running. Yeah. It hasn't been that cold.
Erik Onarheim:It hasn't been that cold.
Kamran Ayub:Yep. That's good. That's fun. Yeah. So you feel your your ankle and stuff is feeling a lot better?
Erik Onarheim:Yeah. I'm I'm injury free currently. I'm just like getting my fitness back. I threw down five miles yesterday, which was which was great. It felt good.
Erik Onarheim:It was like a good five miles. So it was like a strong five miles. And my beats per minute were like 10 on average less than the last time I ran five miles. So I'm like, yeah, fitness is coming back. So that's good.
Kamran Ayub:Nice.
Erik Onarheim:I was totally gassed today though. I didn't make it. I barely made it three miles.
Kamran Ayub:Oh, yeah. Hey, you had we didn't record yesterday because you had construction going on. Did you finally get those steps, those stairs?
Erik Onarheim:It sounds like they might have just finished because they they were still here today, hammering, but they have stopped. So I can only assume that they are done. And I ran by them, you know, surreptitiously to spy on them. And it looks pretty cool. They, we got new steps put in.
Kamran Ayub:Beautiful.
Erik Onarheim:And this is gonna be great. So, so far it looks stupendous. It's got that all weather decking and metal railings and it's attached to the house. Beautiful. And it's all permitted and it's like all done correctly and I'm like Into code.
Erik Onarheim:Yeah. Excellent. Yeah. That's good. Even submitted drawings to the city.
Kamran Ayub:Well, good. Yeah. So they're doing it. They're doing it the right way. It's not like the folks that I hired to make the wall in for my office downstairs in the basement, they did not talk to anybody.
Kamran Ayub:Nobody.
Erik Onarheim:They just did it.
Kamran Ayub:They just did it. Yep. But, you know, so it goes.
Erik Onarheim:Yeah. Yeah. Yeah. They're piercing the bureaucracy by not talking to it.
Kamran Ayub:Yeah. Anyway, what you've been working on?
Erik Onarheim:Well, I've been working on my super secret console project to run Excalibur games on consoles. Very secret now that I'm talking about it. But I was I was trying to get it to run on Linux. And and I was trying to get it to run on Linux in like the most unideal Linux situation because I was running I'm running in like Hyperland and Infidora, which is all Weyland. I got to a point where I don't I don't know if I can run it without like X Weyland, which is like a compatibility layer where it still runs the X like old windowing thing.
Erik Onarheim:But I think I might I might be stuck. I might be stuck because I'm I'm hitting a part, like a thing where angle just does not wanna show me the display with SDL three and I'm I'm pretty stuck. And I just basically spent all day Sunday doing something that didn't matter.
Kamran Ayub:I don't know half of what you just said. It was you you basically could have just been speaking in Elvish.
Erik Onarheim:I should be posh.
Kamran Ayub:Hopefully, you know, door door open, please, to Yeah. The mines of mines of Moria.
Erik Onarheim:And and then I got nerd sniped by performance, like, completely separately in Excalibur. And then I spent the rest of my weekend doing, like, performance benchmark optimizations. And I real I really got a lot of speed. Oh. So that's pretty cool.
Erik Onarheim:I also ran into a game rendering benchmark that had the wrong rendering code for Excalibur. So I sent them a PR and they merged it.
Kamran Ayub:Nice.
Erik Onarheim:So now now in their benchmark, it shows, like, us running 10,000 items at 60 FPS on my machine.
Kamran Ayub:So Good. Good.
Erik Onarheim:I was very pleased.
Kamran Ayub:Don't don't wanna be misrepresented there.
Erik Onarheim:No. I that's what I was saying. Yep. I was very nice.
Kamran Ayub:Good. Good. Glad glad that worked out. Nothing's really nothing's really different with me. I am just heads down on MCP course stuff.
Kamran Ayub:Although, I will say, I was talking to you about this outside the show. I did dig a little deeper into dealing with the sales tax when you're doing like a software as a service because my product gets bought by people outside The US. So that's a thing that I have to deal with. And let me just say that it's not pleasant. So you wanna get those ducks in a row before you, decide to sell to people outside The US.
Erik Onarheim:Yeah. Yeah. For sure.
Kamran Ayub:Cool. We have a lot of news for the week of 10/20/2025. There's there's at least like four big things to talk about. So should we just get into it?
Erik Onarheim:Let's just get into it. Yeah. Think the headliner is there's a new Deno Deploy.
Kamran Ayub:Brand new.
Erik Onarheim:Brand spanking new.
Kamran Ayub:Fresh off the press, rewritten from scratch. And apparently, they've been working on this for a while. They've been sharing updates on social media, but this is the first time that I've seen the new Deploy, and they have a great blog post on the blog that is titled my highlights from the new Dino Deploy, and it's from Phil Hawksworth, and he goes into a lot of detail for all the different things that he likes. And, you know, he he works there, but he really presented it in a great way for developers. So we can give you the too long didn't read, but I think you should go check it out, especially if you are interested in Dino Deploy.
Kamran Ayub:But one major thing is that they've got built in CICD now.
Erik Onarheim:So Mhmm.
Kamran Ayub:Mhmm. Before, you had to build in, like, GitHub actions or externally, and then you had to push to Deno deploy. But now, it works more like Cloudflare Workers or Netlify, where they just have built in CICD. So that is pretty cool.
Erik Onarheim:Yeah. That is super cool. And they also have automatic, like, preview builds, preview environments. So like, if you're doing like PRs, you can get like preview builds and preview environments for whatever you're doing, which is pretty slick. The other thing that's really neat is they have an easy to migrate from KV to Postgres.
Erik Onarheim:So you can KV is their persistent key value store.
Kamran Ayub:Yeah. It's KV is like the easy way. Like, if you just need to store some stuff, it's super easy to use. But what you couldn't do before was easily turn that into a full fledged Postgres database, and now you can. So that's pretty cool.
Kamran Ayub:And then speaking of databases, they now have database environments. So this will allow you to automatically access the right database environment, depending on which deployment environment you're in, without any config. So, if you're using the Deno APIs, it just automatically knows, in this environment, you get access to the develop development database, staging database, production database, etcetera. You don't have to do any kind of, like, config dancing in your code, even at runtime, to, like, choose, oh, I'm gonna use this key, or, you know, if development, then connect to this database. Nope.
Kamran Ayub:Don't have to do it. They just take care of it for you, which I think is pretty sweet.
Erik Onarheim:Yeah. And another really cool thing is they've added automatic open telemetry into your into your stuff, so you can just get traces just out of the box. Super slick. This is like this is a thing that's like table stakes in my opinion. Nothing is worse than digging through like old school logs to figure out what's wrong across your whole environment.
Erik Onarheim:Traces are just like, hey, click, let's look at the waterfall. Let's see all of the hops, the inter process hops between different services, and you can just see it all in one place. So can recommend. We use, this with, at at work, we use this with Grafana, and you can see the traces in a nice waterfall. It's super nice.
Kamran Ayub:Nice. One thing I really liked that he called out was the four zero four reporting. And this is especially annoying in some tools where it doesn't distinguish between, like, actual errors and four zero four errors because I don't want to get alerts based on four zero fours, especially if someone is just hitting, you know, random stuff. But what I do want is to know if a four zero four is actually valid. Mhmm.
Kamran Ayub:Like, am I am I missing something? Like, is it a broken link? And they separate four zero four errors from the rest of the errors, and they put it into a really nice report that says, hey, you know, these pages got the most four zero four hits or whatever. It doesn't it it's separate from other types of exceptions. Like, it's not an exception.
Kamran Ayub:It's just a, you know, URL not found there. So I do like that. Like, that's a that's a pretty nice developer experience quality of life.
Erik Onarheim:For sure. They've also added environment variables and secrets.
Kamran Ayub:And importantly, this works with both dynamic and static sites. Right? Because you treat them differently. With static sites, you need them at build time. But with dynamic sites, you need them during server render time and Deno's environment variables and secrets work both ways depending on what you've selected as your deployment strategy.
Kamran Ayub:So that's pretty cool.
Erik Onarheim:Yeah. In their in their documentation, they say here, they have a secret environment variable, which is never visible in the UI after creation, only readable from application call code. So, guess, it it is looks like an environment variable, is what it's looking like here in their documentation.
Kamran Ayub:Yeah. I think it it's probably implemented as an environment variable, but in the management interface, it's a secret. Obviously, what they want you to do is to use a secret store, which I would recommend, but if you're if you're just doing a little demo and you need to you need to put something secret in there, this is this is kinda nice.
Erik Onarheim:They have a new CLI for the Deno deploy, so you can just do Deno space deploy.
Kamran Ayub:Yeah. I mean, it's implemented as a sub command because there there was actually an entirely separate CLI Mhmm. Deno control, CTL, I think. Yeah. Yeah.
Kamran Ayub:So now, it's just it's actually just built into Deno, the deno command, which makes total sense.
Erik Onarheim:Mhmm. Mhmm. You can also connect to environments with the dash dash tunnel. So, this is kind of like, if you've ever done what is it called?
Kamran Ayub:Ngrok?
Erik Onarheim:Yeah. That's exactly what I'm thinking of. Mhmm. Ngrok. Same idea.
Erik Onarheim:So you can have, like, local environments connected to your environment in the cloud, that kind of thing.
Kamran Ayub:Yeah. And then, this is something that you'll like too. They introduced new playgrounds, which not only allow you to write, like, some Deno code and TypeScript code in the browser, but also press a button and have it deployed and shared with other people. You don't even need to go through any of the GUI or whatever to set up a Deno deploy project. It just they would just work through the playground, which is super slick.
Kamran Ayub:And Phil has teased that there's some other improvements coming to playgrounds that are gonna make it even more valuable, so and even more useful to people, so I'm kind of excited about that.
Erik Onarheim:Yeah. That's super cool. That's super cool. They even added this little cute deploy button that will go and spin up like a little GitHub template. It's it's super cool.
Kamran Ayub:Yeah. It it's it's quite cute. Awesome. Next big piece of news, Vitest 4 is out.
Erik Onarheim:Woo hoo. We love Vitest here in this house.
Kamran Ayub:Yeah. So what we got here? Browser mode is stable. With this release, we are removing the experimental tag from browser mode. To make it possible, we had to introduce some changes to the public API.
Kamran Ayub:So, you know, there's some breaking changes, but now you can install separate packages for each of your providers. So if you're using Playwright, WebDriver, browser preview, so this makes it easier to work with custom options, and you'll like TypeScript users. You don't have to use triple slash references anymore in your configs to reference those other packages.
Erik Onarheim:One thing that's really cool in here is they added visual regression testing.
Kamran Ayub:Mhmm.
Erik Onarheim:So you can do things like to match screenshot, and you can do it by like area of the page, which is pretty nice. So you don't have to have the brittleness of an entire page. You can be like this this spot. I expect this spot to match this other spot. So one thing that you might have run into if you've ever done screenshot stuff is the bigger the screenshot, the more noise can sneak through if you have a lower threshold.
Erik Onarheim:Like Yep. For example, if I have like a thousand by a thousand image and then I changed one pixel, well then that's like point 1% changed. But if I have a one by one image and that one pixel change, that's a 100% change. Right? So that's that's kind of like, you wanna you wanna test the smallest amount of screen space that you can get away with.
Kamran Ayub:Mhmm.
Erik Onarheim:So, this is great.
Kamran Ayub:Yeah. I think for type TypeScript developers, there's some more type aware hooks. So, this in this example, what they're showing is that at the top of your test, can use test dot extend, and then you can go fetch to dos. And then those to dos will be provided as context to your before each and after each hooks, which is kinda cool.
Erik Onarheim:Yeah. Super slick.
Kamran Ayub:Yep. They just introduced standard schema support, which unifies, like, a base schema matcher across Valibot, ArkType, and Zod, and now vTest four has introduced a new asymmetric matcher called Expect. Schema Matching, and it accepts a standard schema v one object and validates values against it. So, it passes the assertion when the value conforms to the schema. So, that's pretty big news, and that's pretty sweet.
Erik Onarheim:That is super cool. When you're doing, like, any kind of, like like, maybe any kind of fuzzing, or you wanna see like, oh, it needs to it could be anything in this shape. Like, we wanna match this shape. You know, that's that's what we're testing.
Kamran Ayub:Yep. And in their in their motivating example here in the blog post, they have imports from Zod Valbot and ArkType and are using them in the same exact test doing the same exact test assertion. So that is super cool. So I think those are the big things. There are breaking changes, and so definitely wanna go view the migration guide before upgrading.
Kamran Ayub:But those are pretty exciting.
Erik Onarheim:Well, not to be outdone, Nuxt 4.2 just dropped.
Kamran Ayub:Woo hoo.
Erik Onarheim:With experimental TypeScript plugin support and better error handling. And one thing that's really cool is they added abort control for data fetching. So Mhmm. Now you don't have to wait until the request is done. You could now use abort control.
Erik Onarheim:So they have an a motivating example here where you can pass the signal, the abort controller signal into the refresh and you can cancel that request later. If like, for example, if you're doing like a type ahead or something, you were doing like a search. This would be an example where you might add a abort controller.
Kamran Ayub:Nice. So tell me more about that experimental TypeScript plugin support. It looks like it's it's not to develop new TypeScript plugins, but instead, we'll actually bring in a bunch of TypeScript plugins that should improve your developer experience as a TypeScript developer.
Erik Onarheim:That's right. And so, what they have listed in their blog post here is they have smart component renaming, so they're taking advantage of like
Kamran Ayub:That's good.
Erik Onarheim:The references and stuff, like, kind of this DX, like, tooling advantage. Yeah. They go to definition, which I don't know how people live without that, but go to definition for dynamic imports. So you can navigate directly to files using a glob pattern. So like import, you know, assets name dot web p and you can So they got that figured out.
Erik Onarheim:That's cool.
Kamran Ayub:That's cool.
Erik Onarheim:Yep. Nitro route navigation. So in Nuxt, you have the I believe it's called Nitro routes, but I could be wrong about that. Future Eric will correct me if I'm wrong. But you can jump to server routes from the data fetching function.
Erik Onarheim:So, know, you have the air quotes front end functions, the dollar fetch, the use fetch, use lazy fetch. You can jump to the back end route or the server route, excuse me, that's handling that.
Kamran Ayub:Yeah. That's that's super helpful.
Erik Onarheim:Yeah. They added some enhanced auto import support and they have runtime config navigation. So you can go to definition seamlessly with runtime config properties, which is pretty cool.
Kamran Ayub:Yeah. These are pretty sweet. It says that this feature also requires selecting the Workspace TypeScript version in Versus Code, so you have to use the the Workspace version of the of TypeScript, not the global Versus Code installation of TypeScript.
Erik Onarheim:Mhmm. Mhmm. They also noted that these are through the d d x up slash nuxt module. That's where these the at d x up nuxt module are where these are exposed.
Kamran Ayub:Cool. We've mentioned the Vite environment API, and so they announced that you can now opt in to the Vite environment API. It well, I'm just quoting from the blog post, but it says it closes the gap between development and production by allowing the VIT dev server to handle multiple environments concurrently rather than requiring multiple VIT dev servers as we have done previously in Nuxt. This should improve performance when developing and eliminating some edge case bugs. And it's the foundation for implementing Nitro as a VIT environment, which should speed up the dev server still further.
Kamran Ayub:So that's pretty cool. This is experimental, but you can enable that with the Vite environment API config option. Cool. Cool.
Erik Onarheim:Awesome.
Kamran Ayub:This Nitro server thing that we're talking about, it looks like that's their server side integration, and they are they're also extracting it into its own package. So now it'll be at Nuxt Nitro server, and this architectural change allows for different Nitro integration patterns and paves the way for future innovations and server side rendering. So that's pretty cool. So there's there's not any there's no changes that are required for your code. It's just something that they're doing internally, but it's gonna allow them to swap out a server side rendering, I expect.
Kamran Ayub:So that's pretty cool.
Erik Onarheim:Yeah. Yeah. And then Sweet. Another DX improvement is they just added better error pages in development. So, you get a nice little printout of what's wrong.
Kamran Ayub:Cool. Cool. Sounds good. What else is next? The third announcement.
Erik Onarheim:Next 16. What? More Next.
Kamran Ayub:Did you just say Next '16? No. No. No.
Erik Onarheim:Next
Kamran Ayub:'16. So Next. Js Conf is coming up, and ahead of that, the team has just released Next. Js 16. So just going through a few of these improvements here.
Kamran Ayub:We've got cache components. So this is using that partial pre rendering technique, which we kind of covered in React 19 is something that's kind of brand new. So that that is available. And then if you are using Next. Js in, like, Versus Code or some other IDE that supports MCP integration, they've just released the Next.
Kamran Ayub:Js DevTools MCP, which was going to, hopefully, help you improve debugging and workflow, So you can just install that into your IDE if you'd like to. They've been working on middleware for a while, and now they are renaming it to proxy, which they say makes the app's network boundary explicit. So proxy the proxy dot TS file is the new middleware dot TS file, and it runs on the Node JS runtime. And then the middleware TS file is still available for Edge runtime, but it's deprecated, and it's gonna be removed. So, looks like they're they're moving to this new proxy dot ts file.
Erik Onarheim:Nice. They added a whole bunch of logging improvements, and it shows you how long things are taking, the compile and the render. That's super cool. So, you can be like, oh, this this this took forever to compile or oh, this took forever to render. That's pretty neat.
Kamran Ayub:Yep. Other big news here, Turbo Pack is stable. So, yep. It was it was like in release candidate or beta before and now it is is stable. So it's now the default bundler for all new Next.
Kamran Ayub:Js projects. And it's it's improved pretty, like, substantially. With Turbo Pack, you can expect two to five times faster production builds and up to 10 times faster fast refresh, which is, like, their hot reload. So they're making Turbo Pak the default, so which is kinda cool. So if you do have a custom web pack setup, you can pass the dash dash web pack flag.
Kamran Ayub:But but but now Turbo Pack is the the new default.
Erik Onarheim:Nice. Let's see what else is good.
Kamran Ayub:They've got they've got some more DX improvements. If you use create NextApp, that's been redesigned. It's TypeScript first configuration, so that's good news. And then I think another notable thing is that the React compiler support is stable. So Next.
Kamran Ayub:Js was one of the first to integrate the React compiler, and since in '19, or nineteen point two, the React compiler one point o is stable. So now Next. Js 16 is integrating React compilers one point o release, which makes it stable. And so that's that's pretty cool. So you can that's not on by default, but you can turn it on with the React compiler true flag.
Kamran Ayub:It's no longer under the experimental flag. Sweet. Yeah. I think there's there's quite a lot more stuff, but it's probably is more relevant for Next. Js developers, so you definitely wanna just go go read the blog post and see see what applies to you, but there's a lot of cool stuff.
Erik Onarheim:Alright. Next up, we have React Native o dot 80 '2, a a new era.
Kamran Ayub:Yet another, like, rearchitecture from the ground up type of deal. Do you know do you know much about React Native? Because I admit that I am not an expert on
Erik Onarheim:React I feel like I know that what I know about React Native is about the same as what I know about how car engines work. Like, have a very, like, abstract theoretical understanding of how car engines work. That's about how I I view React Native. I have a very theoretical abstract understanding of how React Native works.
Kamran Ayub:Yeah. So there's this thing that they're calling the new architecture, and as of zero point eight two, it's now the default architecture. So it was introduced in React Native zero point seven six. So it's been about a year, it looks like. So I think React Native developers probably know what it means, but I'm just learning about it for the first time.
Kamran Ayub:It basically looks like a ground up rewrite of React Native. And the new stack article that we are going to link to explains more about sort of what the big differences are. But I think the one that maybe you might be the most interested in, Eric, is this JSI. It's called the JavaScript interface, and the team said that the JSI is an interface that allows JavaScript to hold a reference to a c plus plus object and vice versa. So with a memory reference, you can directly invoke methods without serialization costs.
Kamran Ayub:Yeah. This is cool. That's pretty awesome. They've also revved Hermes. They're calling it Hermes v one, and this features improvements in the compiler and in the virtual machine that boosts Hermes performance.
Kamran Ayub:So that's pretty sweet because I have heard rumblings that React Native performance is, you know, it's obviously not as good as native. So this seems like a great move in the direction of native like performance.
Erik Onarheim:Yeah. What I understand is that, and I could be totally wrong, but my my knowledge could be outdated. But what I understand is Hermes is a byte code interpreter. And it goes and it compiles your JavaScript into this byte code, and it runs it through its interpreter. So it's like doing it's doing the thing that Java was supposed to do, but with JavaScript.
Erik Onarheim:So that's my understanding. I could be wrong about that. But, yeah, that that can be a reason why it's not gonna be as fast as like, you know, fully jitted code from like Chrome or something. And I know they've been experimenting with something called static Hermes, which goes and drops it to like it emits a native binary instead of a byte code.
Kamran Ayub:Yep. Well, it sounds like it's getting it's much better with Hermes v one because they're saying that from initial tests and benchmarks, Hermes v one outperforms current Hermes in various scenarios. We've seen improvements in bundle loading and time to interactive, but it said that the improvements do depend on the detail of your apps. So, we'll we'll link to both blog posts that sort of give you the overview and then the details, but that's pretty pretty exciting in the React Native world.
Erik Onarheim:In the blog post, they do mention the static Hermes thing. V one does not yet contain this JavaScript to native compilation. Otherwise known as static Hermes. So just wanna be clear about that. This is still doing the normal byte code interpretation.
Kamran Ayub:Gotcha. Cool. Cool. Okay. Now those are the four major things, but we also have a decent set of set of stuff coming out for Node. Js
Kamran Ayub:because the LTS 22 got a new notable feature, and that would be native HTTP proxy support. Yeah. This is you're, like, doing a little dance over there. I would agree, because before, you might be familiar with, like, the HTTP proxy global environment variable, so you would have to set that if you wanted to use a proxy that applied to all the Node. Js global agents.
Kamran Ayub:But the thing is is that if you created any kind of custom agent, like an agent per API Mhmm. It wouldn't have that proxy info, so you'd have to do it yourself. But now, you can specify proxy info per agent, or you can even inherit from the global agent by passing in the process dot e n v. So that's pretty sweet. And then there's also a a flag that introduces the proxy support too, So you can specify that at the command line or in node options or when you're writing shell scripts.
Kamran Ayub:So you can pass the proxy in there. You don't have to just rely on the global environment variable or work around it by introducing your own parameters and stuff. So that's that's pretty cool.
Erik Onarheim:Yeah. This is just a huge like, DX thing, like, this was just a paper cut that would cut you a lot. Yep. If you needed to use proxies. Maybe you don't live in this world.
Kamran Ayub:A lot of corporate people do it.
Erik Onarheim:Yeah. Yeah. If you're yeah, if you're in a corporate world, you might need to bounce through a proxy, so.
Kamran Ayub:For sure.
Erik Onarheim:Ash (Type)Script announced to release 0.6.0 . And if you'll remember, this is the type safe Elixir TypeScript app thingy. So this is the the Ash framework and they have this Ash TypeScript package. So they have a blog post here that we'll link in the in the show notes. And, you know, they have a lot of features here.
Erik Onarheim:If you're a big elixir person using ash, they have zero config type script generation. So it automatically generates types from ash resources and the n type safety because you got typescript on the front and ash on the back. Smart field selection, a full type inference, RPC client generation, all of the goodies that you want from like a strongly typed situation. All the goodness of Elixir Ash coming back forward through the front end for you in TypeScript. So some cool stuff there.
Erik Onarheim:So check that out. Wait. Some TypeScript news. We had an, a heroic update to DefinitelyTyped in preparation for TypeScript version six, which is getting our mouth watering for the new version of TypeScript. But roughly speaking, this is a, a 1,839 file change to make all the packages work with ES module interop, which is a wild amount of work.
Erik Onarheim:Wow. So Andrew Branch deserves a gold star or two. This is absolutely amazing.
Kamran Ayub:The medal of TypeScript honor.
Erik Onarheim:Yeah. This is an incredible amount of effort.
Kamran Ayub:Man. Well, I wonder if there was some assistance there, if we did it all by hand, would be even more impressive.
Erik Onarheim:Yeah. I'm not sure. I mean, I feel like you could maybe have made a tool to do You
Kamran Ayub:could deterministically probably do it.
Erik Onarheim:Yeah. I imagine when you have about 2,000, you might have done a tool. Looked like there was some necessary code changes in some spots. So it wasn't just a a rip it and forget it.
Kamran Ayub:Yep.
Erik Onarheim:It looked like there was a need to do do thinking in a lot of these spots as I go through this PR, which is which is a wild amount of effort Yeah. I think, just to go and validate that this is all correct. Just just bonkers.
Kamran Ayub:That's awesome. Super impressive. Let's end the news section with a PSA. There was a critical account takeover in the better-auth library, and we've actually covered better-auth before because it is a TypeScript first auth framework, or auth library. It uses, a plugin architecture to extend functionality, including an API keys plugin that allows applications to generate and manage API keys for authentication.
Kamran Ayub:Well, unfortunately, that plug in had a vulnerability where you could pass your own user ID to the generate key function, and it would use that user ID, and it would just create the key for you. It wouldn't require authentication to generate. And so a malicious user could then create API keys and use those to take over accounts. So that is fixed, but you if you are using that, you definitely wanna make sure you upgrade immediately. Mhmm.
Kamran Ayub:So hopefully, you got notified already through the the typical means, but if you didn't, that's something to be aware of.
Erik Onarheim:Real bummer because better off looks and feels pretty amazing. So Yep. I I was bummed out to hear about this.
Kamran Ayub:Yeah. I think what is kind of interesting is that the way that they detected it, and this is from the Zero Path blog, but they're kind of like a sneak alternative, but they use AI assistance to do, like, business logic validation too, like static analysis. And so it can follow, like, the code paths and see how things flow. And so the way that it found this vulnerability was by seeing that you could submit a HTTP request with that body and then analyzing the code path for it, and noticing that it creates the API key without any additional authentication. So, it was kind of an interesting, like, case study in, you know, this tool's way of detecting vulnerabilities.
Erik Onarheim:Yeah. I think I think if we're looking at LLMs in the future of like static analysis tooling for security vulnerabilities, this could be really interesting. Because there's a number of like training data here where we know there are just bad patterns that we can train stuff on. And then it can go and find like, I don't know if they were using LM. They might have been using more traditional ML technique.
Erik Onarheim:But
Kamran Ayub:Yeah. It's not it's not super clear. They might be using an LM. I don't know. But they just say AI assisted.
Kamran Ayub:One thing that's kind of interesting too is that the way that they verify vulnerabilities is that they actually have other AIs take a look at it and try to run the vulnerability in, a code sandbox, which is pretty interesting. So it vets the actual vulnerabilities that get reported before they actually report it to the end package. Like, before they actually report a vulnerability disclosure, they actually verify it Mhmm. To make sure that it is actually applicable.
Erik Onarheim:Yeah. On the on the bad side of this, there's certainly like a ton of like bug bounty stuff going on right now where they're just, you know, submitting bogus LLM generated vulnerability reports to people. So don't do that.
Kamran Ayub:No. Don't do that. And it does not sound like this vendor does that. So that's good. Good news.
Kamran Ayub:Cool. Should we move on to some community highlights?
Erik Onarheim:Let's do it.
Kamran Ayub:So we've got another PSA, but not in the same vein. Jake Archibald, who works at Firefox and you might know from Shopify fame, has a PSA. Don't use top level await right now in browsers because there's a big Safari bug where it just doesn't work, and it'll we have to be rearchitected in Safari itself to support top level await. So if you are running in the browser and your users are using Safari, which probably many of them are on iOS, you don't wanna be using top level await. And some some folks chimed in in the comments.
Kamran Ayub:We're hoping to maybe address this at Interop twenty twenty six, which is that, sort of browser vendor get together where they talk about standards that they can adopt across browser run times. So hopefully, you know, this might be addressed in the future, but I guess that's a good that's a good PSA.
Erik Onarheim:Mhmm. The specifics here is that the module graph will fail if two modules import a third at the same time, which is a total bummer.
Kamran Ayub:That is a big bummer. Moving on, Brian Muenzenmeyer, who we featured a few times, his new talk from JSConf is now live. You don't need dependency. This is about the same thing that we talked about on the last episode, which is that modern Node. Js features allow you to remove certain dependencies.
Kamran Ayub:You don't need these packages anymore, but now you can watch the talk on YouTube. So you can you can go check that out, and I bet it's I bet it's pretty good.
Erik Onarheim:Awesome. Brian Vaughn on Blue Sky has a small update to React window to add some TypeScript compatibility fixes for React versions '18 o through '20. Oh, check that out.
Kamran Ayub:Yep. And React Windows for virtualization, which is super helpful. So I've used React Window in the past. I'm not using it currently, but this is really nice if you're using React 18.
Erik Onarheim:Blue Sky user Polly Wolf, Wolf Girl Technology has a blog post, four unconventional ways to cast in TypeScript. And you should read this blog post because they are four extremely unconventional way to cast types and it's very interesting. The the first one is the is operator, which is maybe the least surprising one. The rest are very surprising.
Kamran Ayub:But you can't you can't spoil it.
Erik Onarheim:No. I won't spoil it. You should you should definitely you should definitely check it out because it's it's extremely interesting. This I learned I learned some things here. This is wild stuff.
Erik Onarheim:Also, don't do these things. So, yeah. If you wanna learn what not to do, go read that blog post. But this is a fantastic blog post by Wolfgirl. Nice.
Erik Onarheim:Matteo Collina on the technical steering committee for Node adds a blog post about how to do type saved API clients And like, has a whole workflow of how to do it. One of the things that he shows off here that I think is like maybe interesting is you can generate an open API schema from curl commands. And you can use that to go and build a type safe client, which is pretty slick.
Kamran Ayub:Nice. That is pretty cool. I have seen some tools that can take your open API schema definition and then generate TypeScript clients. So that's super nice. Sweet.
Kamran Ayub:Alright. I came across another one from Free Code Camp whose articles I usually enjoy, this tutorial is a really good one. If you're kind of getting caught up in the MCP hype, but you're on TypeScript, this is a nice post that goes through how to build a to do list MCP server, but also add auth database and billing to it. So I think this is pretty compelling because it's not just a toy MCP server. Like, he actually integrates it with Supabase and then a, auth provider called Kind, which is sort of like Auth0, but also includes, like, SaaS billing and user management.
Kamran Ayub:So that's that's pretty cool. So you can kind of see, like, how how would I make an MCP server that collects payments and, like, actually does more more things than just, you know, boring things. So I think that's that's pretty cool. So, that is written by Shola Jegedi. Next, this is super cool.
Kamran Ayub:This is by Ge Gao, otherwise known as Snowflyte on GitHub. But I saw this post on Reddit, and it does not have as much upvotes as it deserves because this is a JS REPL with types. And my god, is it a beautiful, hot looking REPL? And you can just start typing in it, and it has, auto completion and the same sort of, like, Visual Studio Code style, IntelliSense pop ups, and things like that. And you can also import any MPM package through ES import syntax because it's powered by JSDeliver, and it also supports retrieving their type definitions if available, and the auto completion will recognize them.
Kamran Ayub:So he has gone to a lot of he's done a lot of work to make this super nice, but it's just that repple.js.org, which is, you know, super handy. But I think I'm gonna start using this from now on because sometimes you just wanna you just wanna write something in JavaScript, but you want types with it.
Erik Onarheim:Dude, I just did import star as EX from Excalibur. And guess what I can do? Yep. That's so cool.
Kamran Ayub:It is super cool. So this deserves some attention. So you should definitely go check this out. Okay.
Kamran Ayub:The other post I came across, we've talked you remember when we talked about Orim'd and Dangerous, our episode?
Kamran Ayub:We talked about something called MooseStack, which is like an ORM for OLAP, and they just came out with another blog post on how to transform your transactional ORM into a type safe OLAP data model. And so this goes into some utilities that they built that can take your transactional data model, interfaces and types transform them into an OLAP data model for ClickHouse, and they do it in a way that is ClickHouse compatible and doesn't sacrifice some of the good things that OLAP gives you. And I think this is a really nice sort of engineering blog post on how to create some cool type transformation. So you should You can go check that out if that sounds interesting to you.
Erik Onarheim:I'm gonna talk about this link real quick. This is the fast TypeScript analyzer. It's this little quick CLI that'll show you the, like, complexity of your project. So it'll do, like, TypeScript static analysis. It's written in Rust.
Erik Onarheim:It'll give you information about maintainability, like, you know, different complexity measures, this kind of thing. I don't know if you've used this kind of thing in the in the past for, like, cyclomatic complexity and that kind of stuff. They have that in here as well. So that might be something to check out.
Kamran Ayub:Lovely. Should we end the community highlights on a funny joke?
Erik Onarheim:We should. There's a really funny joke from blue sky user ed3d.net, and he says, paraphrasing, anyone who willingly writes bare JavaScript in 2025 is either works in Svelte or is a maniac and you shouldn't trust them.
Kamran Ayub:That's awesome. Cool. Well, we both have to cut it short today. There's not gonna be a Minnesota long goodbye. It's gonna be a Minnesota short goodbye because I gotta go pick up my kids.
Kamran Ayub:And I gotta
Erik Onarheim:go to a meeting.
Kamran Ayub:Oh, man. Alright. Well, we'll see you next week.
Erik Onarheim:We'll see you next week. Bye bye. Bye.
Kamran Ayub:Hi, everyone. This is Kamran. I just wanted to thank you for listening to the show, and we hope you enjoyed the episode. If you wanna see the show notes, you can check your podcast player or go to typescript.fm where you'll see a list of all the episodes. If you enjoyed the show, tell your friends, and please rate it on Apple Podcasts or Spotify because that's how the show grows and gets discovered by more people.
Kamran Ayub:If you want to suggest news or a project that should be covered or just wanna say hi, email us at feedback@TypeScript.fm. If you wanna follow us on social, we're both active on Blue Sky. I'm @kamranicus.com , and Erik is @erikonarheim.com . You can also follow the show directly @typescript.fm.
Creators and Guests
