Wrote about skeletons, sat down with a Prisma Staff Engineer to talk about databases, and spent the rest of the week watching supply chains get compromised. Good times.
New article: Self-updating shimmer skeletons
Every skeleton component is a maintenance trap. You build a UserCardSkeleton that mirrors your UserCard, hardcode the widths and heights, and the moment someone touches the layout, the skeleton falls out of sync.
I wrote about building a skeleton that reads the DOM instead. The approach uses getBoundingClientRect() and getComputedStyle() to measure the actual component with mock data, then overlays shimmer blocks at the exact positions it finds. The skeleton can't drift because it doesn't describe the layout — it measures it.
The tricky part is timing. useLayoutEffect fires synchronously after DOM updates but before the browser paints, so the measurement happens in the gap between render and display. If you use useEffect instead then the users see a flash of invisible text before the shimmer appears.
Read the full article here
Podcast: Tyler Benfield on database performance
New episode of Señors @ Scale is out. Tyler Benfield is a Staff Software Engineer at Prisma.
We covered a lot of ground. The most common ORM anti-patterns that quietly kill app performance. Why indexes are the single biggest lever most developers ignore.
How connection pooling works and why serverless runtimes make the problem dramatically worse. And how Prisma Accelerate turns database connections into HTTP calls.
Tyler also had a take I hadn't heard before: that SQL itself is a bad query language for nested relational data. The way most ORMs generate queries doesn't match how developers think about data, and that mismatch is where most N+1 problems come from.
Watch the full episode on YouTube
Listen on Spotify
Workshop: From Lizard to Wizard
My full-day engineering workshop is running again at the end of April, in Barcelona and remote.
It covers seven modules: algorithms, system design, security, accessibility, observability, design patterns, and AI. The format is hands-on — you design a WhatsApp-scale system, exploit real XSS vulnerabilities, set up actual monitoring. Over 100 engineers have been through it, and it's sold out in Singapore, Athens, and London.
Early bird is 150€ (down from 250€).
Get your spot here
Community reads
Aurora Scharff on error handling in Next.js — Next.js 16.2 shipped unstable_catchError, a framework-aware error boundary that actually understands notFound() and redirect(), the calls that silently break regular React error boundaries. It also comes with a retry() callback for real server-side refetching, which has been missing since the App Router launched.
Read it here
axios got hit — A compromised npm account pushed axios@1.14.1 with a hidden dependency called plain-crypto-js that drops a remote access trojan on install. We're talking about a package with 100 million weekly downloads. Pin to 1.14.0 or 0.30.3 immediately and search your lockfiles for plain-crypto-js. If you find it, assume the machine is compromised and rotate all your secrets.
Pretext by Cheng Lou — A pure TypeScript text layout engine that computes text dimensions without touching the DOM. Cheng Lou helped build React at Meta, and his argument is that getBoundingClientRect() in scroll and resize handlers is a foundational bottleneck. (Cough cough to my skeletons article)
Every call forces synchronous reflow, and the browser has to recompute the entire document. Pretext splits this into two phases: an offscreen canvas for measurement and pure arithmetic for layout. The result is scroll handlers running at 120fps. Worth looking at if you've ever tried to virtualize a list where every item has a different text height.
Check it out here
No prompt injection required — The FutureSearch team got their machine compromised through an MCP server. With an unpinned dependency in litellm that picked up a poisoned PyPI package the moment uvx auto-downloaded it. The only reason they caught it was that the malware had a fork bomb bug that spawned 11,000+ processes and froze the machine.
If the attacker had written slightly better code, the compromise would have been invisible.
Read it here
If you're enjoying these, share the subscribe link with someone who'd get something out of it, or with your team on Slack:
neciudan.dev/subscribe