npm under siege (what to do about it) (Changelog & Friends #111)

Mike McQuaid and Justin Searls join Jerod in the wake of the RubyGems debacle to discuss what happened, what it says about money in open source, what sustainability really means for our community, making a career out of open source (or not), and more. Bleep!

We're joined by Deepak Singh from the Kiro team. Kiro is AWS's attempt at building an AI coding environment to take you from prototype to production. It does that by bringing structure to your agentic workflow with spec-driven development. Their aim: the flow of AI coding, leveled up with mature engineering practices.

Denis Stetskov describes how we've "normalized catastrophe" in the software industry, Meta is officially handing React and React Native over to a foundation, The New Stack reports on GitHub's Azure migration priority, Miguel Grinberg benchmarks Python 3.14, and The Oatmeal's Matthew Inman published his take on AI art.

Elixir creator, José Valim, is throwing his hat into the coding agent ring with Tidewave –a coding agent for full-stack web development. Tidewave runs in the browser alongside your app, but it's also deeply integrated into Rails and Phoenix. On this episode, José tells us all about it. Also: his agent flow, YOLO mode, an MCP hot take, and more.

Our friends at Cult.Repo launch their epic Vite documentary on October 9th, 2025! To celebrate, Jerod sat down with Evan You to discuss Vite's adoption story, why he raised money to start VoidZero, how developer documentaries get made, open source sustainability, and more.

Abner Coimbre makes a compelling case why our biggest technical talent should abandon for-profit social platforms, Noah Brier creates a Claude Code and Obsidian starter kit, Bharath Natarajan documents the Vercel vs Cloudflare fight, Toolbrew is a well-designed website brimming with common utilities, and Yusuf Aytas analyzes why over-engineering happens.

Over the past two months, we’ve seen some of the most serious supply chain attacks in npm history: phishing campaigns, maintainer account takeovers, and malware published to packages with billions of weekly downloads. What is going on?! What can we do about it? Our old friend, Feross Aboukhadijeh, joins us to help make sense of it all.

Charlie Marsh built Ruff (an extremely fast Python linter written in Rust) and uv (an extremely fast Python package manager written in Rust) because he believes great tools can have an outsized impact. He believes it so much, in fact, that he started an entire company that builds next-gen Python tooling. On this episode, Charlie joins us to tell us all about it: why Python, why Rust, how they make everything so fast, how they're starting to make money, what other products he's dreaming up, and more.

Andrew Churchill thinks companies should really be hiring junior engineers, Addy Osmani announces Chrome DevTools MCP, GitHub lays out a roadmap to fend off npm attacks, Jerry Liu builds an app that generates a timeline of your day's activities, and Sean Goedecke attempts to define "good taste" in the context of software engineering.

Bryan Cantrill and Steve Tuck, the co-founders of Oxide, are on the pod live (to tape) from the stage at OxCon. Jerod and I were invited to Oxide's annual internal conference to meet the people and to hear the stories of what makes Oxide a truly special place to work right now. The best part was this on-stage discussion with Bryan and Steve. Enjoy!