Been a busy few weeks. New article, new TypeScript version dropping, two conferences coming up, and the first module of my security course is finally out. Let me catch you up.
New article: Git deep dive
Spotify's top engineers haven't written a single line of code since December. Teams using AI are merging twice as many PRs but spending 91% more time reviewing them. 45% of AI-written code has security issues.
The hours you're not spending writing code? You're spending them reviewing it. So I wrote about the Git skills that actually matter now — git bisect, worktrees, reflog, reading diffs at scale. The stuff that makes you a better reviewer, not just a faster typer.
Read it here
TkDodo on Query Abstractions
If you haven't read Dominik's latest on the TkDodo blog, stop what you're doing. It's called Creating Query Abstractions and it's one of those articles where you start nodding along immediately because you've made every mistake he's describing.
He walks you through the obvious approach, shows why it breaks, tries the next thing, shows why that also breaks, and eventually lands on something genuinely clean. The whole thing is structured around evolving code rather than a list of tips, which is how this stuff should be taught.
Read it here
TypeScript 6.0 Beta is out — and it's a bridge, not a destination
The beta dropped on February 11th and the most important thing to understand about it is what it is: the last TypeScript release built on the current JavaScript codebase. TypeScript 7.0 will be a Go-based native rewrite. 6.0 is explicitly designed to get you ready for that jump.
Most of the changes are alignment work for 7.0. But there are real improvements in here too. The one I find most interesting is a fix to how contextually sensitive functions are treated during generic inference — specifically, method syntax vs arrow function syntax used to behave differently in ways that had no good reason to exist. If you've ever had y inferred as unknown when you knew it shouldn't be, this is probably why.
The practical thing to do right now: install the beta, run your type-check, see what breaks. The TypeScript team is explicitly using 6.0 as a preparation step, so if something new errors in 6.0 it's almost certainly going to error in 7.0 too. Better to find out now.
npm install -D typescript@beta
Full beta announcement here
Conferences
React Paris — March 26-27, 2026
I'm speaking at React Paris this year and I'm really excited about it. It's a two-day single-track conference at Pullman Paris Montparnasse, which means you see everything — no FOMO, no scheduling conflicts.
Also speaking:
- Kent C. Dodds — needs no introduction at this point
- Tejas Kumar — always one of the most entertaining talks of any lineup he's in
- Aurora Scharff — great on RSC and server-side patterns
Tickets are up now. Use code rp26_rbcn at checkout for 10% off.
Get tickets to react.paris
CityJS London — April 15-17, 2026
Three days at Kensington Town Hall in London. Two days of workshops and meetups, one full-day conference. The format is great because by the time you hit the main day you've already met half the room.
I'll be there speaking alongside some people I'm genuinely looking forward to seeing again, including:
- Rich Harris — Svelte creator, always has something interesting to say about the direction of the web
- Liran Tal — security in JS is one of the most underrated topics in our community and he does it better than almost anyone
- Jason Lengstorf — brings an energy to conference talks that's hard to match
Get tickets with 20% discount here
Security Course — Module 1 is out
Something I've been building for a while. Module 1 of my web security course just went live and I'm really happy with how it came out.
It starts where most security content doesn't: package.json. Most developers treat their dependency list as a black box — something that just works until it doesn't. Module 1 tears that apart. You'll learn how package resolution actually works, what the lock file is really doing, and why two projects with the same package.json can have completely different behavior.
From there you build your own dependency scanner from scratch. Not a toy version — an actual tool that parses your dependency tree, checks versions against known vulnerability databases, and flags transitive dependencies (the ones that sneak in through your dependencies' dependencies). By the end of module 1 you'll understand why the node_modules folder is the size it is and where your actual attack surface lives.
If you've ever pasted an npm audit output into Slack and hoped someone else would deal with it, this course is for you.
Check it out here
That's it for this one. See some of you in Paris.