993: It’s Been A Hell Of Week

Scott and Wes break down a chaotic week in dev news — the Claude Code source leak, a nasty Axios npm supply chain hack, and Railway’s private cache exposure — plus how to keep these nightmare scenarios from hitting your own projects. Show Notes 00:00 Welcome to Syntax! 00:55 Claude Code Leaked! Wes’ X Post Apple Source Code Video 05:42 Burning through Claude Code token limits. Reddit Thread 08:57 Axios hacked! Step Security pnpm Supply Chain Security pnpm minimumReleaseAge 16:13 Pretext blew up! Pretext.js Demos Wes’ Demo 27:24 Railway shared private cache. Railway Incident Report 31:54 Sick Picks & Shameless Plugs. Sick Picks Scott: Kindle Colorsoft Kids Wes: UGREEN 200W 8-Port GaN USB C Charger Block, Wyze Headphones Shameless Plugs Scott: Syntax on YouTube Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Wes and Scott talk about migrating large codebases with AI — how to plan framework and language moves, establish patterns, handle templating changes, test thoroughly, safely deploy, and more. Show Notes 00:00 Welcome to Syntax! 01:46 Why migrate to a new language or framework? 05:09 How to approach a large code migration 08:47 Establishing patterns before using AI 10:35 Moving from pug to JSX 12:06 Building a detailed migration plan 15:18 Testing every part of the application 15:51 Brought to you by Sentry.io 16:58 Deploying and catching issues with Sentry 19:12 Converting express requests to web standard requests 19:34 Other codebases that could benefit from AI migrations 21:36 Sick Picks + Shameless Plugs Sick Picks Scott: WisprFlow Wes: displayplacer Shameless Plugs Phases Podcast Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Vite just launched Void, a fullstack JavaScript framework and cloud platform that bundles together routing, SSR, auth, an ORM, and nearly everything you’d expect from a modern meta-framework — all built on top of Cloudflare’s infrastructure. Scott, Wes, and CJ dig into whether Void is the Rails moment JavaScript has been waiting for, or just shiny Cloudflare lock-in with a bow on it. Show Notes 00:00 Welcome to Syntax! The Announcement 00:27 Laravel or Rails for JavaScript? 01:38 What is this big announcement? 04:36 It’s just Vercel for Cloudflare? 07:09 Database options. 09:37 Brought to you by Sentry.io. 10:01 Type safety. 12:09 What about RPC? 15:41 Component Loaders over Page Loaders. 18:23 Baked in authentication via Better Auth. 22:57 Lock-in. Unapologetically Cloudflare Evan’s X Post. 24:55 Is it lock-in? 32:40 Self-Cloudflare your own Void apps? Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Wes, Scott, and CJ talk about Vite+, a unified JavaScript toolchain that combines linting, formatting, task running, monorepos, and more. They break down its evolution, open-source shift, performance gains, Node version management, and whether it can realistically replace today’s fragmented dev tooling. Show Notes 00:00 Welcome to Syntax! 00:54 What Vite+ is and what’s changed since launch 03:43 Why the ecosystem needs Vite+ 06:41 What Vite+ actually does for your workflow 10:18 Built-in Node version management 12:32 Type-aware linting with tsgolint and oxc 15:27 Brought to you by Sentry.io 16:28 Should config live inside vite.config? 22:56 Monorepos and task running in Vite+ 26:28 Task caching and faster builds 29:01 Final thoughts and current limitations Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Scott and Wes dig into the latest State of JS survey results, breaking down which JavaScript libraries, frameworks, and tools are rising, falling, or holding steady in the ever-shifting JS ecosystem. From front-end frameworks and meta-framework pain points to JavaScript runtimes, hosting services, and the growing role of AI tools in developer workflows, this one’s packed with takes, tier lists, and plenty of opinions. Show Notes 00:00 Welcome to Syntax! 01:06 JavaScript Features, not overly interesting. 02:15 JavaScript Libraries popularity and usage over time. 07:52 Library Tier List. 10:55 Library Ratios Over Time. 13:09 Other Front-End Frameworks. 15:24 Meta-framework Ratios Over Time. 19:34 Meta-Framework Pain Points. 21:57 Backend Frameworks. npm Trends express-vs-hono. 25:14 LLM Stack Suggestions. 27:54 Brought to you by Sentry.io. 30:37 Testing Frameworks. 33:15 Libraries Other Tools. 37:20 Utilities. npm Trends biome-vs-oxlint 40:53 JavaScript Runtimes. 45:04 Hosting Services. 51:39 AI Tools. 54:16 AI Code Generation. 55:04 Awards. 01:00:19 Sick Picks & Shameless Plugs. Sick Picks Scott: Anker MagSafe Charger Stand Wes: Battery-powered Heat Gun Shameless Plugs Scott: Syntax on YouTube Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Wes and Scott talk with Steve Faulkner about vinext, a Vite-powered Next.js fork. They dive into AI coding workflows, agent browsers, code quality, and what modern dev tooling looks like in an AI-first world. Show Notes 00:00 Welcome to Syntax! 02:01 Knowing how to use AI 02:31 The idea behind “slop fork” vinext How we rebuilt Next.js with AI in one week 06:27 How to approach a project like this Super Whisper 07:53 Using markdown as a planning and thinking tool 12:35 Steve’s OpenCode setup 14:31 What agent browsers are and how they work agent-browser 15:34 Where agent browsers fall short 19:02 Why agents work best with tight feedback loops 21:23 Dealing with poor code quality from AI 23:54 Brought to you by Sentry.io 24:19 Searching for a reliable AI workflow 25:54 What about security? 28:46 When it makes sense to port a framework vs switch 32:03 What an AI-first programming language might look like 33:16 TypeScript in an AI-driven workflow 35:36 Cloudflare and improving developer experience 38:10 Being excited and uneasy about where AI is heading 39:06 Which industries AI disrupts next 41:29 Sick picks + shameless plugs Sick Picks Steve: IWC Pilot’s Watch Mark XX Shameless Plugs Steve: vinext Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Scott and Wes break down the world of remote coding agents — what they are, why you’d want one, and all the different ways you can run them, from Cursor Cloud and Claude Code to an old laptop sitting on your floor. They cover real-world use cases, environment setup, API key management, and the wild variety of interfaces that let agents work while you sleep. Show Notes 00:00 Welcome to Syntax! 03:14 Introduction to Remote Coding Agents 05:32 Practical Examples of Remote Agents 05:34 Website data grunt work. 07:48 Research assistant 08:57 Travel agent… agent 09:57 Where and When Remote Agents Run 10:43 Brought to you by Sentry.io 13:31 Where Remote Agents Run 19:14 CLI and User Interfaces for Remote Agents 24:53 Remote Development Environments 31:21 DIY Agents and Custom Solutions 36:09 The environment 38:08 Managing API Keys and Access 41:02 Web search Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

In this potluck episode, Wes and Scott answer your questions about popover navigation patterns, the Vibrate API on iOS, whether code quality still matters in the AI era, Wes’s evolving Obsidian second-brain setup, where to start with modern full-stack JavaScript, and more! Show Notes 00:00 Welcome to Syntax! 01:02 Using display none with popover and hamburger navigation 03:37 Vercel on iOS and experimenting with the Vibrate API 05:47 Does code quality still matter in the AI age? 11:08 Wes’ second brain update and Obsidian workflow QMD 19:57 Brought to you by Sentry.io 20:21 Supporting older browsers and missing out on modern web features 23:32 iPad browsing quirks and dealing with outdated Safari 28:26 What to do when you encounter a badly built or inaccessible website 33:37 Is the Effect TypeScript library worth the learning curve? 37:04 Where to start with modern full-stack JavaScript 43:39 Are column grid frameworks still relevant with modern CSS? Graffiti 49:54 Sick Picks + Shameless Plugs Sick Picks Scott: AVerMedia Video Capture Card Wes: Power Bar Extension Cord Shameless Plugs Phases Podcast Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Scott and Wes are joined by Phil Miller and Theo Ephraim to talk about Varlock, a new approach to environment variables that adds schemas, validation, and security to the humble .env file. They dig into the risks of traditional env workflows, how schema-driven configs improve DX, and how tools like Varlock help manage secrets safely across frameworks, CI, and AI-powered workflows. Show Notes 00:00 Welcome to Syntax! 03:15 The Risks of .env Files 04:58 Introducing Varlock: A Unified Solution 06:56 Schema-Driven Environment Variables 11:47 Integrating with Various Frameworks 14:08 Brought to you by Sentry.io 14:32 Cross-Language Compatibility 17:50 Best Practices for Environment Variables 21:11 Security Features of Varlock 25:02 AI Integration and Environment Variables 29:12 Introduction to Varlock and GitHub Actions 32:45 Secrets Management and Best Practices 36:09 The Future of Varlock and Open Source 38:36 Sick Picks + Shameless Plugs Sick Picks Phil: Bela.io Theo: Wonder Man Shameless Plugs Phil: nauticalartifacts Theo: howtostore.food Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Wes and Scott talk with Paolo Ricciuti about Svelte custom renderers and how Svelte actually talks to the DOM. They dig into compiler internals, CSS handling, native bridges, and the realities of maintaining ambitious open source tooling. Show Notes 00:00 Welcome to Syntax! March MadCSS 01:44 Paolo’s role at Mainmatter and his work on Svelte custom renderers 02:52 Why Paolo chose Svelte Why I choose Svelte Shift Dev 2019: “Rethinking Reactivity” 05:16 From Svelte ambassador to working on the project 07:45 How custom renderers change what Svelte can target 10:10 How Svelte uses the DOM and why that makes custom renderers tricky 20:32 What Lynx provides and how it differs from a web view 24:18 Brought to you by Sentry.io 35:56 Using Svelte with CSS outside the browser 39:09 The timeline and current state of the Lynx app 44:51 Sick Picks + Shameless Plugs Sick Picks Paolo: Opencode Shameless Plugs Paolo: Svelte Custom Renderers | TCMP Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads