Evan You (@evanyou)

I've left most of what I want to say in the VoidZero blog post. But worth repeating: Thank you @voidzerodev team for trusting me and joining me on this wild ride. I am very proud to have assembled such a talented team and even prouder of what we have built together. Thank you all our investors for believing in my vision, in particular @caseyaylward from @Accel who led both our Seed and Series A. Thank you the @vite_js community. Vite and VoidZero wouldn’t have come this far without your trust and support. We will continue building with all of you, together, in the open. And thank you to everyone that made this happen at @Cloudflare. Looking forward to working with you all!

An update on Module Federation: We're officially recommending module-federation/vite. Why? We first we spent months exploring built-in MF support in Rolldown, even reimplemented MF 2.0 from scratch for both @rolldown_rs and @vite_js. What we learned is that not only the scope is huge, but that most MF features inevitably live in the JS plugin layer and not the bundler. Meanwhile, @giorgio_boa had already shipped full Vite 7/8 support in module-federation/vite. In collaboration with @dalaoshv, @nstlopez, @2hea1, and @Zackary_Chapple, more bug fixes and examples have been added. Instead of duplicating effort, we're going all-in on collaboration instead. If there are blocking things in the bundler, we are happy to help fix them, but we won't be building a separate MF implementation in Rolldown.

Couldn't keep up with all the news? We got some selected highlight from last month to recap! 🌀 → Vite Plus lazyPlugins API → Vitest 5 sneak peak: A new Trace Viewer → Oxlint: RFC for linting Svelte/Vue/Angular templates → Module Federation in Vite via plugin Full video 🔽

Next.js just got its worst vulnerability ever, CVSS 8.6. → affects versions 13.4.13+, 14.x, 15.x, and 16.0.0–16.2.4 → attackers can access your internal services, cloud credentials, API keys, and admin panels → no authentication needed → one crafted request is all it takes → roughly 79,000 instances are exploitable right now → vercel-hosted apps are safe, self-hosted are not upgrade to 15.5.16 or 16.2.5 immediately.

fate 1.0: The first full Async React Metaframework New in 1.0: * Zero-Config Live Views via SSE * Drizzle Support * "Native" HTTP support (no tRPC) * Void Router * Vite plugin * Clientside Garbage Collection * Performance & scalability improvements

Supabase internal control-plane linting stats. eslint: 54s + frequent OOMs with 4gb machines oxlint: 8.6s Multiple monorepo project, same rules, all type-aware. Now gotta unify it with oxfmt (from biome, so should be trivial) and should be done. Bless your soul @voidzerodev.

TanStack Devtools just migrated to @OxcProject parser + magic-string!🚀 The results: 📌 Per-file transform: 1.65 ms → 0.46 ms 📌 Full pass: 75.73 ms → 21.25 ms 📌 Speedup: 3.56×

Another Vue Lynx release, brought to you by the @vuejs x @LynxJS_org community 💖 <KeepAlive> by @jynxbt <Teleport> by @sentomk Event modifiers, improved Volar types by @KealanAU_ Class binding type fixes by @davidaganov Initial scoped CSS by @Huxpro

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee#..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: Credit to the security researcher for responsible disclosure.

Oxlint v1.64.0 & Oxfmt v0.49.0 are out! 🚀 → oxfmt experimental svelte support → ruleCustomizations linter LSP option → improved disable directive handling → 15 bug fixes → performance optimizations in oxfmt CLI take a look below ⬇️

. @remix_run 3 is so cool. But it's not made for bundling. I wired it through @nitrojsdev and @vite_js 📦 163 MB → 295 KB dist (565× smaller) 📁 2,891 → 25 files ⚡ 389ms → 59ms startup 🚀 deploys to anywhere nitro does. Zero config.

In celebration of @rolldown_rs 1.0 🎉 Announcing `comptime` — a Zig-inspired build-time evaluation primitive, exposed as Vite and Rolldown plugins This allows you run code at build time, replacing the call site(s) with the evaluated output value.

Multiple security vulnerabilities affecting React Server Components and Next.js have been disclosed. We strongly recommend updating your applications immediately. Cloudflare WAF managed rules already mitigate the disclosed denial-of-service vulnerabilities, and we are investigating additional coverage for several other CVEs.

We’ve released Next.js versions 16.2.6 and 15.5.18 with important security fixes. These fixes address multiple vulnerabilities across high, moderate, and low severity, including one upstream React issue. We strongly recommend upgrading as soon as possible. ⬇️

I was looking back through my GitHub and found my goals from 2021. It made me think back to four years ago, when I first started this side project and got to know @_hyf0 @_h_ana___ and @_IWANTBETHATGUY I never imagined that a side project from back then would grow into what it has become today. None of this would have happened if @evan hadn’t taken over the project and brought everyone together to push it all the way into becoming a core part of Vite. The Oxc created by @boshen_c was another crucial piece of the puzzle. I still remember when the first SWC-based POC of Rolldown came out — it was more than 2x slower than esbuild, and I felt really discouraged. At the time, I wondered whether it would still be meaningful even if we managed to build it. It wasn’t until @rolldown_rs was later taken over by VoidZero and fully rewritten with Oxc that it reached the incredible performance we’re seeing today. I’m no longer part of the Rolldown team in @voidzerodev, but I’m still genuinely proud of what it has become. Congratulations to the Rolldown team — what you’ve done is truly remarkable!

🚀 tsdown v0.22 is out, powered by Rolldown 1.0.0! What’s new: ✦ Upgraded to Rolldown v1.0.0 ✦ Cut install size by 1.33 MB ✦ Auto-detects the `bin` field ✦ Dropped Node.js 20, 21, and 23 ✦ `dts` now inferred from `compilerOptions.declaration`