In partnership with
Analytics on Live Data Without Leaving Postgres
When analytics on Postgres slows down, most teams add a second database. TimescaleDB by Tiger Data takes a different approach: extend Postgres with columnar storage and time-series primitives to run analytics on live data, no split architecture, no pipeline lag, no new query language to learn. Start building for free. No credit card required.
What's up, everyone? This week TanStack got hit with one of the most sophisticated npm supply-chain attacks I've ever seen, Anthropic put Claude on a credit meter, and OpenAI started actively poaching the people who left. Let's dive in.
You currently have {{rp_num_referrals}} referrals.
TanStack shipped 84 malicious package versions for about 20 minutes on Sunday. The postmortem is required reading. An attacker chained a pull_request_target "Pwn Request," GitHub Actions cache poisoning across the fork/base trust boundary, and OIDC token extraction from runner memory. This made TanStack's own release workflow publish malware. No maintainer was phished. The CI pipeline robbed itself. If you installed anything from TanStack or related packages on May 11, rotate every credential the install host could reach. Tanner's follow-up post about hardening (and seriously considering closing PRs to external contributors) is just as honest.
Anthropic tightened Claude limits and OpenAI immediately started courting the angry ones. Paid Claude subscribers can use third-party agent harnesses like OpenClaw again but only against a separate monthly credit meter. Sam Altman responded within hours by offering new business customers two months of free Codex. I think the response is overblown and I doubt the average enterprise company using Claude Code in CLI is fazed. Subsidies are ending, and we should expect to see this across the board soon.
Next.js released 13 CVEs in a single bundle on May 7. Seven of them high severity. Patches are out for v16.2.6 and v15.5.18. The list includes DoS via Server Components (surprise, surprise), multiple middleware/proxy bypasses in App Router (…surprise, again), and cache poisoning in RSC responses. Upgrade today if you haven’t already. In a related note, Cloudflare also published a great writeup on how they mitigated the "Copy Fail" Linux kernel privilege escalation with a no-reboot eBPF program.
OpenAI opened up ChatGPT ads to anyone with a credit card. Self-serve Ads Manager in beta for US advertisers, CPC bidding alongside CPM, and the $50K minimum from the pilot is gone. Sam Altman called combining ads with AI "uniquely unsettling" in 2024 and a "last resort." The last resort lasted about 18 months. Free and Go-tier users get the ads; Plus and Pro subscribers don't.
Anthropic also partnered with the Gates Foundation for $200M over four years, launched Claude for Small Business, and signed a SpaceX compute deal for 220,000 GPUs at Colossus 1 with stated interest in "orbital AI compute capacity." Make of that what you will. All I know is that it means more usage.
Also this week:
Astro 6.3 released with experimental advanced routing. This means you can now bring Hono (or any fetch-handler framework) and compose Astro's pipeline yourself.
Tailwind v4.3.0 released with
@container-size, full scrollbar utilitiesscrollbar-thin,scrollbar-thumb-*,scrollbar-gutter-*),zoom-*,tab-*, and stacked@variantsyntax.Figma Make added custom skills. Desktop file transitions are also faster now.
shadcn/ui added package imports support
#components/*aliases) and target aliases for registry items.Railway #0288 and #0289 brought unified template search, an interactive
railway scaleUI, real SSH, an auto-deploy toggle, and volume deletes over the API now soft-delete for 48 hours, shipped specifically because an AI agent deleted a production database with a long-lived token. Guardrails are the theme of 2026. Also, don’t give your agents production access.Dokploy 0.29.3 patched an undisclosed security vulnerability with a separate cleanup script. Upgrade and run it. It takes 5 minutes. 0.29.4 is a one-line regex fix for deployment logs.
What did I miss? There’s so much happening in modern web dev that I know I missed something. Please share your thoughts in the comments or reply to this email. I want to address your suggestions and may include them in future newsletters.
Thanks for reading. See you next time.
Distinguish real intent from malicious intent.
hCaptcha User Journeys finds malicious intent across sessions, devices, and apps. Detect intent signals that expose risk before it escalates.
Understand motives, not just outcomes. Book a demo and find out how it works.