The two-year-old attack class that just took out TanStack, a long talk with TkDodo on maintaining a library used by millions, the new August session of From Lizard to Wizard, and npm shipping staged publishing.
New article: GitHub Actions Cache Poisoning is eating open source
Some projects that where affected Angular. tj-actions. Cline. TanStack. The same class of attack has been quietly hijacking publish pipelines for two years, and most teams maintaining a public repo have no idea it exists.
The article walks through the mechanics — what cache poisoning is, why GitHub Actions caches are shared across trust boundaries, the two ways attackers get write access, and the checklist of things to audit in your own repo today.
Read the full article here
Podcast: TkDodo on maintaining TanStack Query
New episode of Señors @ Scale is out. Dominik Dorfmeister — better known as TkDodo — maintains TanStack Query and works as a software engineer at Sentry.
We got into how he became a maintainer almost by accident — answering Discord questions during lockdown until it turned into ownership of one of React's most widely adopted libraries. He's candid about the v4-to-v5 breaking change that went sideways, why major versions are "the pain of his existence," and shipping to a community that only shows up with feedback after release.
We also get into his Sentry work — using Knip to remove 28,000 lines of dead code, building a new design system inside a 10-year-old, million-line codebase, and what's planned for TanStack Query v6.
Watch the full episode on YouTube
Listen on Spotify
From Lizard to Wizard — new date: Wednesday, August 5
The next session is locked in for Wednesday, August 5, 2026 · 5–9 PM CET. Four hours, fully remote. Same Frontend System Design intensive. €299, all bonuses included.
One session, limited seats.
More info
Sign up
Community reads
Staged publishing on npm by npm — pairs directly with this week's article. You now can publish a version to a staging slot, verify it, then promote. This guardrail would have caught half the incidents from the last 18 months.
TanStack Router and Query, together by TkDodo (Same TkDodo from the podcast). The patterns for combining Router and Query without re-implementing half of one inside the other.
Learn AI by Rob Ennals — an open course from "I've used ChatGPT" to "I understand what's happening."
The Open-Closed Problem in AI by mempko — the classic OCP lens applied to LLM-based systems, and what it costs you when the model changes underneath you.
Agent Glossary by HuggingFace — a clean, definitional pass through the agent vocabulary that's been floating around.
3 takeaways from Dropbox's former Head of Engineering by Developing — three lessons on what scales and what breaks when teams grow.
When to use (and not use) CSS shorthand properties by thoughtbot — the trap that shorthand properties silently reset values you didn't mean to touch.
Conferences
Convex Summit — June 17-18, 2026
I'm speaking at Convex Summit 2026 at Kinépolis Ciudad de la Imagen in Madrid. Two days on how architects and tech leaders navigate complex decisions, with a lineup I'm genuinely looking forward to.
Use code CONVEX26DanNeciu for 15% off tickets.
More info and tickets
React Alicante 2026
No discount code on this one, but I'd flag React Alicante as one of the best React conferences in Europe this year and a must-see if you can make it. I'm not even speaking here and will not miss it for the world, already booked my ticket.
Conference site
Tickets
ZurichJS
ZurichJS is on my list this year. Strong lineup, well-run community, and the kind of single-track conference you can actually keep up with.
Use code REACTJSBARCELONA_10 for 10% off tickets.
More info and tickets
That's it for this one.
If you're enjoying these, share the subscribe link with someone who'd get something out of it, or with your team on Slack:
neciudan.dev/subscribe