Let's see whats new this week!
New article: A tech breakdown of Server-Sent Events vs WebSockets
Most developers reach for WebSockets the moment they hear "real-time." It's muscle memory at this point. But if your data only flows one direction — server to client — you probably don't need them.
I wrote a full breakdown of SSE vs WebSockets. The article covers why the native EventSource API should be replaced with fetch-based streams, where SSE wins (AI streaming, dashboards, notification feeds), where WebSockets still make sense (multiplayer, collaborative editing, binary data), the auth problem most people get wrong, and what breaks when you ship SSE to production behind Nginx and load balancers.
Read the full article here
Andrey Sitnik, creator of PostCSS, on CSS Tooling, Plugin Ecosystems & Open Source Values at Scale
We covered a lot of ground. How PostCSS started as a response to vendor prefix hell and ended up becoming the plugin system that changed CSS tooling.
One of my favorite parts was the conversation about Browserslist and how the query language was deliberately designed to prevent browser discrimination. There's no query for "mobile browsers" and they reject that feature request every few months on purpose.
We also went deep on open source values, the damage 2010s venture culture did to the software industry, and why he thinks a small group of people can still reshape LLM culture if they bring the right values from the early open source era.
Watch the full episode here
Security Course — Module 2: XSS is here
You'll work through Stored, Reflected, and DOM-Based XSS, then see how XSS plays out differently across React, Vue, Angular, and Vanilla JS.
There's a full case study on XSS combined with OAuth — the kind of attack chain that actually shows up in production.
One lesson covers what happens when AI writes your XSS for you (spoiler: it's getting good at it).
The module wraps up with CSP, Trusted Types, the Sanitizer API, and a practical audit checklist you can run against your own apps.
If Module 1 was about your supply chain, Module 2 is about what gets through to your users.
Sign up for FREE here
Community reads
Outside-In Testing Strategy: Building Confidence for Continuous Deployment by Eduardo Aparicio Cardenes — a solid piece on structuring your testing approach from the outside in, optimizing for confidence in continuous deployment rather than arbitrary coverage numbers.
Read it here
Document Poisoning in RAG Systems by Amine Raji — a fully reproducible walkthrough of how an attacker can inject fabricated documents into a ChromaDB knowledge base and get an LLM to report false financials as fact. No jailbreak, no model access, just three documents added to the vector store. Runs 100% locally, no GPU required.
Read it here
Temporal: The 9-Year Journey to Fix Time in JavaScript by Jason Williams at Bloomberg — the full story of how Date got ported from Java in 10 days in 1995, why it's been broken ever since, and how TC39 finally got Temporal across the finish line. If you've ever had setMonth roll your billing date into the wrong month, you'll feel this one.
Read it here
Building a Design System from Scratch by German Quinteros at Glovo — how Glovo built Pintxo, their cross-platform design system, after ending up with four different design systems across web apps alone. The article walks through their three-layer architecture (primitives, foundations, components), why they chose platform-owned parsers over a shared one, and how Spotify's Local Design System concept solved their adoption problem. Good read if you're dealing with component fragmentation across teams.
Read it here
One AI Coding Agent Is Not Enough by Niklas Wortmann — on why forcing one AI agent to handle every type of task breaks down, and how he uses ACPX as a routing layer to hand off design-heavy frontend work to Claude while keeping Codex as his default for implementation. The distinction between implementation reasoning and design reasoning is sharp.
Read it here
Conferences
React Paris — March 26-27, 2026
I'm speaking at React Paris this year and I'm really excited about it. It's a two-day single-track conference at Pullman Paris Montparnasse, which means you see everything — no scheduling conflicts.
Also speaking: Kent C. Dodds, Tejas Kumar, and Aurora Scharff among others.
Tickets are up now. Use code rp26_rbcn at checkout for 10% off.
Get tickets to react.paris
CityJS London — April 15-17, 2026
Three days at Kensington Town Hall in London. Two days of workshops and meetups, one full-day conference. The format is great because by the time you hit the main day you've already met half the room.
I'll be there speaking alongside Rich Harris, Liran Tal, Jason Lengstorf, and others.
Get tickets with 20% discount here
That's it for this one. See some of you in Paris.
If you're enjoying these, share the subscribe link with someone who'd get something out of it, or with your team on Slack:
neciudan.dev/subscribe