JEM - Web in December - JavaScript Every Month Newsletter

        January 4, 2026

JEM - Web in December - JavaScript Every Month Newsletter

        Hey 2026 👋
December began with a bang for the JavaScript community when the core AI lab Anthropic acquired Bun. Bun aims to be the all-in-one JavaScript runtime and powers Anthropic's crown jewel, Claude Code.
I wrote about a security vulnerability last month: a critical bug in React and related RSC platforms like Next.js. One issue triggered others and we now have a couple to handle. If you don't use RSCs, you're safe; otherwise, update to the latest versions. 

Critical Security Vulnerability in React Server Components - React blog
Denial of Service and Source Code Exposure in React Server Components
Next.js security update: Dec 11, 2025
Wes Bos explains what the vulnerability is (and isn't) on his YouTube stream
Dan Abramov built a RSC explorer where the server components are rendered from a web worker. 
Cloudflare outage on December 5, 2025 - Cloudflare went down when trying to mitigate the vulnerability.

Releases
Browsers
Chrome 143

Introduces @container anchored(fallback) to style descendants of anchor positioned elements based on which of position-try-fallbacks is applied.
Introduces support for font-language-override CSS property
Relaxes the validation of the JavaScript DOM APIs to match the HTML parser.

Firefox 146

contrast-color() function is supported
The text-decoration-inset property is now supported, which enables adjusting the start and end points of an element's text-decoration so it can be shortened, lengthened, or have its position shifted with respect to the rendered text. (Firefox is the first browser to ship this, that's fresh)
The @scope at-rule is now supported by default

Safari 26.2

The Largest Contentful Paint (LCP) and Interaction to Next Paint (INP) metrics are now Baseline Newly available, with support in Safari 26.2 for the Contentful Paint API and Event Timing API needed to measure these metrics.
Added support for Animation.prototype.overallProgress.

IDEs

AI labs gave away some compute for holidays (here's my Tweet on holiday offers). Few are still ongoing
    - z.ai coding plan is at 50% off (insanely good if you are looking for a personal option)
    - Minimax coding plan starts $2.

Chrome Devtools MCP can directly connect to your active tab session (if you use Chrome Beta for now)
Microsoft released JS/TS Modernizer Copilot plugin

Progress on TypeScript 7 – December 2025
TypeScript 6 will be the final JS based release for TS. It will switch over to Go from TS 7.
The VS code plugin and tsgo package is ready for everyone to try. 
Bun 1.3.4

URLPattern API 
Fake timers via bun::test
Standalone Executables No Longer Load Config Files at Runtime

and lot more, keeping with Bun history of releases. 
npx shadcn create
You can now choose whether Shadcn uses Radix or BaseUI when creating a new project. You can also switch between different spacing and color schemes.
Tanstack Vue Start
Tanstack Starts adds support for Vue.
Fate - React data client
Christoph Nakazawa released a data client for React inspired by Relay and GraphQL. It has normalized caching, full type safety and built for async React.
BaseUI 1
BaseUI has reached 1.0 status and now includes a Button component. 
Waku 1.0 Alpha
Waku, a framework built from the ground up for React RSCs, is reaching version 1.
jax-js
Machine learning library built on Web Assembly and WebGPU for (you guessed it) The Web. 
In the Spotlight 🔦
Our favourite language turns 30 this year and continues to be the most popular programming language on the planet. 
JavaScript is 30. Still running the web & still our favorite. 💛✨

The OpenJS Foundation is grateful for every contributor who has shaped its path, and we look forward to the continued growth of this community. pic.twitter.com/EXpif42CuB
— OpenJS Foundation (@openjsf) December 5, 2025

Everyone uses—or is recommended to use—a dictation app these days. Tip: it’s built into macOS if you’re on Tahoe, so you don’t need a separate app. If you want extra customization, profiles, and a personal dictionary, I found this guide on Product Hunt.
2025 Orbit Awards for AI Dictation Apps
Tutorials
How we pwned X (Twitter), Vercel, Cursor, Discord, and hundreds of companies through a supply-chain attack
A fascinating tale of a 16-year-old who hacked the AI documentation platform Mintlify, then disclosed the vulnerability securely so the team could fix it in time.
Logging Sucks - Boris Tane
This highly interactive blog explores why finding information in technical blogs can be a struggle. While single-line logs and random JSON sufficed for single-service requests, they fail when dozens of services are involved. Rather than focusing on protocols, this post explores practical steps every developer can take to simplify debugging.
Code Orange: Fail Small — our resilience plan following recent incidents - Cloudflare
Cloudflare has explained the two recent major outages that briefly took down half the Internet. While every software deployment is tested and released region-by-region and plan-by-plan, the same rigor was not applied to configuration changes; the company now intends to close that gap.
Chrome Wrapper 2025
The Chrome team released a CSS wrap-up covering this year's features, and it's not just CSS. Next year, we'll use many of these without installing NPM packages.
In short

Someone backed up 300TB of Spotify's songs and metadata and distributed it online.
If the Web is going to be all ChatGPT, what happens to all the articles How to disappear completely ‐ The Verge
A small Twitter appreciation post for React Fibre and how it works. 
One Piece of News From Every Country in the World - Wendover Productions
Lee Robinson breaks down Image compression
htmhell Advent calendar 2025
JavaScript weekly's Month by Month breakdown of what happened this year in JS world is good recap.

In Other News
Publishing your work increases your luck - GitHub Blog
This blog is a likely reminder to me:

The amount of serendipity that will occur in your life, your Luck Surface Area, is directly proportional to the degree to which you do something you’re passionate about combined with the total number of people to whom this is effectively communicated.

Do something and then effectively communicate that something. 
Software engineering: efficiency vs. effectiveness - Google
Addy Osmani excels at translating elusive, hard-to-explain concepts into clear language, and this Google series on becoming a senior contributor or manager is a prime example of his skill. Watch everything - if not for the content, for the speaking skill in the videos.
You've (Likely) Been Playing The Game of Life Wrong - Veritasium
We think we’re playing the “average” game, steadily collecting rewards each time we play. Yet some games follow the power law: a single freak event outweighs a thousand normal ones, shaping everything from wealth to earthquakes.
All Of Human History In One Hour - Kurzgesagt
Kurzgesagt knocks it out of the park with this stunning animated journey through the stages of human history.
AI Updates

Devstral 2 and Vibe CLI
GPT 5.2 Codex - Next iteration of GPT model.
Nemotron 3 - Really good local models from NVIDIA
Gemini 3 Flash - Gemini 3 level intelligence at speed (and halluncinations)
GLM 4.6V - Already good model, now with vision
GLM 4.7 - Iterative improvement on z.ai open source model now touching Sonnet 4.5 levels. 
Minmax 2.1 - Quick, told to be very good at software development. I'm glad more companies are taking software seriously. 
Mimo v2 Flash - A fast free model from Xiaomi 
AutoGLM - zAI - zAI's model specialised in using GUIs

Looking Ahead

                            Don't miss what's next. Subscribe to JEM Newsletter - JavaScript Every Month:

            Email address (required)

                                Continue the conversation:

                Share this email:

                                Share on Twitter

                                Share on LinkedIn

                                Share on Hacker News

                                Share on Reddit