Daily · English / Français / Deutsch

ThefrontpageoftheTypeScriptecosystem.

Daily TypeScript, JavaScript, and web platform news for developers who ship code.

// Claude Code Issue #74066: Users Report Cross-Workspace Context Bleed on Sonnet 5, Anthropic Has Not Yet Responded// Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)// Claude Code 2.1.199 Adds Stacked Slash-Skill Invocations, Fixes Subagent Error Reporting, the Background-Agent Daemon Crash Loop on Linux, and the Streaming-Response Discard Bug// Rolldown 1.1.4 Disables `experimental.lazyBarrel` by Default Again, One Month After 1.1.0 Made It Default-On// Claude Code 2.1.198 Makes Claude in Chrome Generally Available, Lets Background Agents Commit, Push, and Open Draft PRs, Adds `/dataviz` Skill, and Brings Claude Platform on AWS to the Gateway// Claude Sonnet 5 Goes Default in Claude Code 2.1.197 with a 1M-Token Context Window, $2/$10 Per Mtok Introductory Pricing, and Cyber Safeguards On by Default// Fastify v5.9.0 Adds `request.mediaType` and `onMaxParamLength`, Hardens `forwarded` Header Trust, Chunks Large HTTP/2 Replies, and Moves Type Tests to TSTyche// npm 11.18 Promotes the `linked` Install Strategy to Stable, Adds the `npm install-scripts` Namespace, and Warns When `min-release-age` Blocks an Audit Fix// Oxlint v1.72 and Oxfmt v0.57 Land the v0.138 Crates Cycle, Unify the AstBuilder, and Retire the Prettier CSS/GraphQL Fallback// Cline 4.0.1 Rolls Back the SDK Migration After 4.0.0 Regressions; 4.0.2 Brings the SDK Code Back with Reasoning Effort and ClinePass Fixes// Claude Code Issue #74066: Users Report Cross-Workspace Context Bleed on Sonnet 5, Anthropic Has Not Yet Responded// Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)// Claude Code 2.1.199 Adds Stacked Slash-Skill Invocations, Fixes Subagent Error Reporting, the Background-Agent Daemon Crash Loop on Linux, and the Streaming-Response Discard Bug// Rolldown 1.1.4 Disables `experimental.lazyBarrel` by Default Again, One Month After 1.1.0 Made It Default-On// Claude Code 2.1.198 Makes Claude in Chrome Generally Available, Lets Background Agents Commit, Push, and Open Draft PRs, Adds `/dataviz` Skill, and Brings Claude Platform on AWS to the Gateway// Claude Sonnet 5 Goes Default in Claude Code 2.1.197 with a 1M-Token Context Window, $2/$10 Per Mtok Introductory Pricing, and Cyber Safeguards On by Default// Fastify v5.9.0 Adds `request.mediaType` and `onMaxParamLength`, Hardens `forwarded` Header Trust, Chunks Large HTTP/2 Replies, and Moves Type Tests to TSTyche// npm 11.18 Promotes the `linked` Install Strategy to Stable, Adds the `npm install-scripts` Namespace, and Warns When `min-release-age` Blocks an Audit Fix// Oxlint v1.72 and Oxfmt v0.57 Land the v0.138 Crates Cycle, Unify the AstBuilder, and Retire the Prettier CSS/GraphQL Fallback// Cline 4.0.1 Rolls Back the SDK Migration After 4.0.0 Regressions; 4.0.2 Brings the SDK Code Back with Reasoning Effort and ClinePass Fixes

Featured

securityai

Claude Code Issue #74066: Users Report Cross-Workspace Context Bleed on Sonnet 5, Anthropic Has Not Yet Responded

An open bug filed against Claude Code on 2026-07-04 by an [Enterprise ZDR](https://docs.anthropic.com/en/docs/build-with-claude/zero-data-retention) user describes a working session on Sonnet 5 that suddenly starts referencing an unrelated Minecraft temple build, then doubles down on the wrong task in its recap. The reporter (GitHub: [@milesrichardson-edb](https://github.com/milesrichardson-edb), issue [anthropics/claude-code#74066](https://github.com/anthropics/claude-code/issues/74066)) is on Enterprise Zero Data Retention, the tier Anthropic specifically advertises as session-isolated. Triage on the reporter's local session JSONL at `~/.claude/projects/<encoded-cwd>/<session-id>.jsonl` finds the leaked text is not in the transcript, ruling out a local context bleed by file overlap. Four other users in the comments (with work histories going back to last year) describe near-identical behavior across Claude Code, Claude Mobile, and Claude deep research. The most plausible architectural fit is shared KV-cache state in inference ([per @yv3nne in the comments](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880448776)), but no Anthropic engineer has commented on the issue in the 22 hours since it was filed, and the issue reached the top of [Hacker News](https://news.ycombinator.com/item?id=42481789) on 2026-07-04. The tone in the thread is split: half suspecting a real platform cache reuse, half suspecting a [sonnet-5-specific hallucination triggered by a Pygments lexer](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880334711). Both readings are credible.

Read articles

Latest headlines

View all
Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)
tooling

Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)

Turborepo [v2.10.3](https://github.com/vercel/turborepo/releases/tag/v2.10.3) shipped on 2026-07-03 with first-class support for [nub](https://github.com/nubjs/nub) and [aube](https://github.com/jdx/aube), two Rust-based Node.js package managers that emerged in spring and summer 2026. nub is authored by Colin McDonnell (creator of [Zod](https://github.com/colinhacks/zod), 43k stars) and aube by Jeff Dickey (creator of [mise](https://github.com/jdx/mise)); both integrate with Turborepo as `packageManager` values in `package.json` and `devEngines.packageManager`. The release also lands a new TUI/streamed-logs toggle, click-to-select tasks in the TUI task list, auto-copy of TUI selections to clipboard on mouse release, a `--production` flag on `turbo prune`, TypeScript 7.0.1-rc as the workspace toolchain, thin LTO + `codegen-units=1` for release builds, and a long list of cache-hashing perf fixes. The headline signal: two of the JS toolchain's most respected builders are now shipping package managers that ride on stock Node instead of replacing it, and Turborepo is the first mainstream monorepo tool to formalize both.
Claude Code 2.1.199 Adds Stacked Slash-Skill Invocations, Fixes Subagent Error Reporting, the Background-Agent Daemon Crash Loop on Linux, and the Streaming-Response Discard Bug
ai

Claude Code 2.1.199 Adds Stacked Slash-Skill Invocations, Fixes Subagent Error Reporting, the Background-Agent Daemon Crash Loop on Linux, and the Streaming-Response Discard Bug

Anthropic released Claude Code [v2.1.199](https://github.com/anthropics/claude-code/releases/tag/v2.1.199) on 2026-07-02, one day after the v2.1.198 feature release (Chrome GA, background-agent auto-PR, /dataviz, Gateway on AWS) and two days after v2.1.197 made Sonnet 5 the default model. v2.1.199 is a bug-fix release with 24 entries: one new feature (stacked slash-skill invocations load up to 5 leading skills in one prompt), and a long list of reliability fixes for subagent error reporting, the background-agent daemon on Linux, streaming-response preservation on mid-stream API errors, SSL/TLS error handling behind corporate proxies, plan mode tool-call handling, and a per-env retry policy that no longer caps the user-tunable retry count at 15. Most of the items are in the background-agent / subagent area, which is consistent with the v2.1.197 + v2.1.198 direction of treating delegation as the product surface for Sonnet 5.
Rolldown 1.1.4 Disables `experimental.lazyBarrel` by Default Again, One Month After 1.1.0 Made It Default-On
tooling

Rolldown 1.1.4 Disables `experimental.lazyBarrel` by Default Again, One Month After 1.1.0 Made It Default-On

Rolldown [v1.1.4](https://github.com/rolldown/rolldown/releases/tag/v1.1.4), published 2026-07-01T14:02:02Z, ships one feature change and 19 bug fixes. The feature change is a partial reversal of the [v1.1.0 default-flip](https://github.com/rolldown/rolldown/releases/tag/v1.1.0) that landed on 2026-06-03: `experimental.lazyBarrel` is now disabled by default again, after four weeks of correctness reports against the default-on behaviour. The release also hardens the dev-mode path by forcing `lazyBarrel` off whenever `experimental.devMode` is set (PR [#10060](https://github.com/rolldown/rolldown/pull/10060)), on top of the existing force-off for `treeshake`. The default-flip revert (PR [#10071](https://github.com/rolldown/rolldown/pull/10071)) and the dev-mode fix both author as one line each: "disable `experimental.lazyBarrel` by default" and "fix(dev): disable lazy barrel in dev mode", and the root-cause tracking is the new [issue #10085](https://github.com/rolldown/rolldown/issues/10085) "Tracking strictExecutionOrder correctness and architecture issues", opened the day after the release. The release follows [Rolldown v1.1.3](https://github.com/rolldown/rolldown/releases/tag/v1.1.3) (2026-06-24) and is the first release since 1.1.0 to touch the lazyBarrel config surface.
Claude Code 2.1.198 Makes Claude in Chrome Generally Available, Lets Background Agents Commit, Push, and Open Draft PRs, Adds `/dataviz` Skill, and Brings Claude Platform on AWS to the Gateway
ai

Claude Code 2.1.198 Makes Claude in Chrome Generally Available, Lets Background Agents Commit, Push, and Open Draft PRs, Adds `/dataviz` Skill, and Brings Claude Platform on AWS to the Gateway

Anthropic released Claude Code [v2.1.198](https://github.com/anthropics/claude-code/releases/tag/v2.1.198) on 2026-07-01T20:45:36Z, the second consecutive day of Claude Code shipping after v2.1.197 (the Sonnet 5 default release) the day before. The headline change is that Claude in Chrome is now generally available inside Claude Code: the browser-side assistant that was a research preview moves to a stable channel and is no longer gated behind a feature flag or a waitlist. The release also lands the first end-to-end automation for background agents in `claude agents`, which now commit, push, and open a draft pull request when they finish code work in a worktree, instead of stopping to ask for permission. Other notable additions: a `/dataviz` skill for chart and dashboard design with a runnable color-palette validator, a Gateway upstream for Claude Platform on AWS (`anthropicAws`) with model-not-found responses advancing the failover chain, a built-in Explore agent that now inherits the main session's model (capped at opus) instead of running on Haiku, and subagents that inherit the parent session's extended thinking configuration. The release also removes the `/agents` wizard and replaces it with the conversational flow, fixes a long list of reliability bugs around background agents, network drops, and platform auth, and improves syntax highlighting by upgrading to highlight.js 11.
Claude Sonnet 5 Goes Default in Claude Code 2.1.197 with a 1M-Token Context Window, $2/$10 Per Mtok Introductory Pricing, and Cyber Safeguards On by Default
ai

Claude Sonnet 5 Goes Default in Claude Code 2.1.197 with a 1M-Token Context Window, $2/$10 Per Mtok Introductory Pricing, and Cyber Safeguards On by Default

Anthropic announced Claude Sonnet 5 on 2026-06-30 ([Introducing Claude Sonnet 5](https://www.anthropic.com/news/claude-sonnet-5)), and Claude Code [v2.1.197](https://github.com/anthropics/claude-code/releases/tag/v2.1.197) (released the same day) made it the default model. The launch is the first Sonnet-line model that closes the agentic gap with Opus 4.8, ships a native 1M-token context window, and lands on introductory pricing of $2 per million input tokens and $10 per million output tokens through August 31, 2026 (then $3/$15 per Mtok). Sonnet 5 is the new default for Free and Pro plans in Claude and is the default model in Claude Code, available immediately on update. The release ships with cyber safeguards enabled by default (the same safeguards as Opus 4.7 and 4.8, less strict than the Fable 5 set), a refreshed tokenizer that inflates token counts 1.0 to 1.35x, and rate-limit increases across Chat, Cowork, Claude Code, and the Claude Platform to absorb the higher token usage of the new effort-level controls. The Anthropic system card and the Claude Code release notes both ship the same day, so the Claude Code audience gets the new model the same day it is announced.
Fastify v5.9.0 Adds `request.mediaType` and `onMaxParamLength`, Hardens `forwarded` Header Trust, Chunks Large HTTP/2 Replies, and Moves Type Tests to TSTyche
security

Fastify v5.9.0 Adds `request.mediaType` and `onMaxParamLength`, Hardens `forwarded` Header Trust, Chunks Large HTTP/2 Replies, and Moves Type Tests to TSTyche

Fastify v5.9.0, published on 2026-06-28 (github.com/fastify/fastify), is the first minor release of the v5 line in 2026 and a substantial 65-PR cycle. The headline features are `request.mediaType` (a typed accessor for the negotiated media type, [#6653](https://github.com/fastify/fastify/pull/6653) by climba03003), `onMaxParamLength` route option ([#6716](https://github.com/fastify/fastify/pull/6716) by climba03003), and a security fix that no longer trusts `X-Forwarded-Host` and `X-Forwarded-Proto` when the incoming socket is missing ([#6684](https://github.com/fastify/fastify/pull/6684) by mcollina). The cycle ships an HTTP/2 buffer-chunking fix for large replies ([#6746](https://github.com/fastify/fastify/pull/6746) by mcollina), three schema-related performance wins (deferred `getSchemaSerializer` content-type parsing #6692, cached `ContentType` objects in `ContentTypeParser` #6694, `typeof` guard before `toString.call` in `send` / `onSendEnd` #6693 by aquie00t), Node.js 26 added to the test matrix ([#6728](https://github.com/fastify/fastify/pull/6728) by Fdawgs) and Node.js 20 dropped from the yarn CI matrix ([#6662](https://github.com/fastify/fastify/pull/6662) by Tony133), the migration of the type-test suite from hand-rolled `expect-type` to [TSTyche](https://github.com/mrazauskas/tstyche) ([#6532](https://github.com/fastify/fastify/pull/6532) by mrazauskas, with follow-ups #6726 and #6727), and a TypeScript-only fastify-plugin v6.0.0 bump. Other notable fixes: trailer `res.end` deduplication (#6676), trailer duplicate-completion guard (#6714), `error.code` on routing errors (#6678), `hasRequestDecorator` / `hasReplyDecorator` catching constructor-assigned built-ins (#6753), `getValidationFunction()` allowed to return `undefined` (#6665), and a socket `_meta` clear that closes a keep-alive leak (#6799).

Browse by topic

117

articles published

10

topics tracked

3

languages

daily

news rhythm

Stay in the loop

Subscribe to our RSS feed — never miss a story.