The new Baseline 2026 update confirms that features like CSS relative units (rcap, rch, rex, ric), JavaScript modules in Service Workers, Trusted Types API and the Navigation API are now supported across all major browser engines for production use. Additionally, CSS Subgrid has reached wide availability, and the Interop 2026 project is actively working to stabilize further features. You can read the full article here.

Additionally you can also catch up on the latest ECMAScript features that you may have missed in 2025 here.

Node.js v24.15.0 (Krypton), a Long-Term Support (LTS) release, focuses on critical security fixes for vulnerabilities (CVE-2026-21710, CVE-2026-21637) and includes significant performance optimizations in Buffer operations and ESM startup. The update also bundles npm v11.12.1 and updates the V8 engine to v13.6 for enhanced JavaScript feature support. Read the full story at Node.js Blog.

GitHub utilizes eBPF (extended Berkeley Packet Filter) within the Linux kernel to detect and prevent circular dependencies in deployment tools, enhancing safety and reducing toil. By monitoring system behavior at the kernel level, the tool identifies potential failures in real time and provides actionable diagnostic information, ensuring a near-zero performance impact. Read the full technical breakdown at GitHub Blog.

This GitHub issue published a post-mortem report regarding a March 2026 supply chain attack where malicious versions of the Axios npm package were published following a social engineering attack on a maintainer. The incident, which affected versions 1.14.1and 0.30.4, resulted in the installation of a Remote Access Trojan, prompting immediate security hardening measures such as mandatory OIDC for publishing. Read the full details at GitHub.

GitHub launched a new initiative focused on "Hack the AI Agent" designed to teach developers how to secure autonomous systems. As developers increasingly build agents that can execute code or access databases, new vulnerabilities like "Prompt Injection for Execution" have emerged. This update provides hands-on challenges to help engineers build "guardrails" and defensive layers, ensuring that as AI becomes more autonomous, it remains safe and compliant within production environments.

The GitHub Actions 2026 security roadmap outlines a "secure-by-default" strategy, introducing five key features to combat supply chain attacks, including deterministic dependency locking via commit SHAs and a native, Layer 7 egress firewall. Planned for release in late 2026, these updates also include scoped secrets, policy-driven execution controls, and real-time security telemetry. Read the full story at GitHub Blog.

AI roundup

Anthropic's unreleased "Claude Mythos" AI model is considered too dangerous for public release due to its ability to autonomously identify, exploit, and patch cybersecurity vulnerabilities, having achieved high scores on technical benchmarks like SWE-bench. Instead of a public launch, Anthropic has initiated Project Glasswing, providing limited access to researchers and partners to focus on defensive security applications. Read more at updateddev.com.

A recent Stack Overflow survey reveals that 84% of developers now use AI coding tools daily (with Cursor and Claude Code dominating IDEs), yet only 29% fully trust the generated code enough to ship it without heavy review. This growing trust gap highlights the rising challenge of "code overload," where AI accelerates output dramatically but leaves teams struggling with quality, debugging, and production risks.

AI coding startup Factory announced a $150 million funding round led by Khosla Ventures, reaching a $1.5 billion valuation as it builds autonomous agents tailored for large engineering teams. The move underscores surging enterprise demand for scalable AI agents that handle full development workflows, amid broader industry shifts toward agentic coding and the need for better oversight tools.

The past week has felt like a collision between a faster, smarter web and a harsher security reality. Baseline 2026 quietly raises the floor for what “modern” means locking in CSS Subgrid, new relative units, JS modules in Service Workers, and the Navigation API while the latest Node.js LTS ships critical security fixes and performance gains. Under the hood, GitHub is even turning to eBPF at the kernel level to make deployments safer with real-time, low-overhead diagnostics.

But as the platform levels up, the supply chain is under direct fire. The Axios npm compromise shows how a single social-engineering win can push a Remote Access Trojan through trusted packages, forcing a shift toward “secure-by-default” tooling. GitHub’s Actions security roadmap and its new “Hack the AI Agent” game both push the same mindset: lock down dependencies, control egress, scope secrets, and teach developers to think like attackers when wiring up automation and agents.

AI is amplifying both sides of this story. Anthropic’s unreleased Claude Mythos model is so capable at autonomous vulnerability discovery and exploitation that it’s being held back for controlled, defensive use, even as 84% of developers now rely on AI coding tools they don’t fully trust. For developers, the signal is clear: the stack is becoming more native, more performant, and much harder to secure.

Updated Dev