News for the week of December 1, 2025: Anthrophic acquired Bun, React2Shell is pretty darn bad (and that's not all), plus "elf spam" packages on npm. From the community: tRPC vs. oRPC, demystifying TSConfig, and hash-slash (#/) project-relative import support in Node.

MCP in Practice Course
Watch now. Kamran shows you how to build a practical enterprise-grade MCP server with .NET, C#, and OAuth, hosted remotely on Azure. (Requires subscription)

Sponsored by Excalibur.js
Excalibur.js is the free and open source friendly TypeScript 2D game engine for the web. Learn to make web games with TypeScript or JavaScript! Excalibur comes out-of-the-box with everything you need, like physics, sprites, animations, sound effects, and first-party plugins for popular 2D gamedev tools.

• Homepage and Docs: https://excaliburjs.com
• Make Your First Game in 10 Minutes
• Join the Discord: https://discord.gg/9UemP985Uy

Chapters

• (00:00) - Welcome to the Show

News

• Bun: Bun is joining Anthropic 
• ViteLand: Vite 8 Beta: The Rolldown-powered Vite
• ViteLand: Announcing Oxlint Type-Aware Linting Alpha
• ViteLand: The first Oxfmt alpha was released
• ViteLand: tsdown got a new release
• Node.js PSA: Prepare for Monday, December 15, 2025 Security Releases
• Cloudflare: Cloudflare outage on December 5, 2025
• Security: npm Sees Surge of Auto-Generated “elf-stats” Packages Published Every Two Minutes via (Sarah Gooding)
• Security: SVG Filters - Clickjacking 2.0 Ʊ lyra's epic blog 

React2Shell Resources

• React2Shell Exploit: Critical Security Vulnerability in React Server Components
• Deep Dive: https://react2shell.com/
• Next.js: Security Advisory: CVE-2025-66478
• Deno Blog: React Server Functions / Next.js Vulnerability: Deno Deploy users protected 
• Explainer: this is the worst case scenario by LowLevelEd

From the Community

• Temitope Oyedele: tRPC vs oRPC: Which is better for your next TypeScript project, and why?
• John Franey: How to test a Vue composable with TypeScript · JohnFraney.ca
• Fabian Hiller: Formisch for React just released (quietly) – the form library that powers SolidJS 
• Deno: Build a browser game in Deno 
• Hybrist: Node support for #/ wildcard (via Rob Palmer)
• Bjorn Lu: TSConfig Grimoire (via Rob Palmer)
• Wooorm: How is ESM from Common going?
• Astro: Next release of Astro will support Vite Environment API

Cool Links

• Cool Read: Godot Shaders Bible and Ghastly in Desmos by Fabrizio Espindola
• Cool Watch: Cancellation Tokens with Stephen Toub
• Cool Game: Preserving code that shaped generations: Zork I, II, and III go Open Source 
• Cool Tool: Helion Engine, a modern DOOM engine in C#
• Cool Watch: Modern .NET Serialization Attacks by Hampton Paulk
• Cool Reads: Architecture for Flow and Domain-driven Transformation

Music
Seahorse Dreams by Kubbi (Spotify)