Anthropic's Bet on Bun, React2Shell, Vite 8 Beta, and Elves Spam npm | News | Ep 47

News for the week of December 1, 2025: Anthrophic acquired Bun, React2Shell is pretty darn bad (and that's not all), plus "elf spam" packages on npm. From the community: tRPC vs. oRPC, demystifying TSConfig, and hash-slash (#/) project-relative import support in Node.

MCP in Practice Course
Watch now. Kamran shows you how to build a practical enterprise-grade MCP server with .NET, C#, and OAuth, hosted remotely on Azure. (Requires subscription)

Sponsored by Excalibur.js
Excalibur.js is the free and open source friendly TypeScript 2D game engine for the web. Learn to make web games with TypeScript or JavaScript! Excalibur comes out-of-the-box with everything you need, like physics, sprites, animations, sound effects, and first-party plugins for popular 2D gamedev tools.

• Homepage and Docs: https://excaliburjs.com
• Make Your First Game in 10 Minutes
• Join the Discord: https://discord.gg/9UemP985Uy

Chapters

• (00:00) - Welcome to the Show
• (04:09) - Kamran's MCP in Practice Course is Now Live on Pluralsight
• (08:35) - News: Anthropic Acquires the Bun JavaScript Runtime
• (13:41) - News: Vite 8 Beta with Rolldown
• (15:40) - News: tsdown 0.17 Release
• (17:10) - News: oxlint Brings Type-aware Linting in Alpha
• (17:50) - News: oxfmt Alpha is 30X Faster Than Prettier
• (18:45) - News: Gird Your Loins for Upcoming Node.js Security Releases
• (19:38) - News: React2Shell Remote Code Execution Exploit in RSC
• (26:55) - News: React2Shell Causes Yet Another Cloudflare Outage
• (28:16) - News: Santa's Elves Flood npm With Naughty "Gifts"
• (30:10) - News: SVG Clickjacking Exploit Using Filters
• (32:05) - Community Highlight: tRPC vs. oRPC for Your Next TypeScript Project?
• (33:15) - Community Highlight: Testing Vue Composables in TypeScript by John Franey
• (34:03) - Community Highlight: Formisch for React Quietly Released by Fabian Hillar
• (34:53) - Community Highlight: Building a Dinosaur Runner Game in Deno
• (36:19) - Community Highlight: Node Will Soon Support Project Root Import Paths
• (37:51) - Community Highlight: TSConfig Grimoire by Bjorn Lu
• (39:01) - Community Highlight: How is ESM vs. CJS Going? by Titus
• (40:45) - Community Highlight: Next Astro Release Supports Vite Environments API
• (41:18) - Bleet of the Week by Joke Bailey
• (42:10) - Cool Read: Godot Shaders Bible by Fabrizio Espendola
• (42:56) - Cool Watch: Cancellation Tokens by Stephen Toub
• (43:44) - Cool Game: Classic Game Zork is Released as Open Source
• (44:16) - Cool Tool: Helion, a Modern DOOM Engine
• (45:18) - Cool Watch: Modern .NET Serialization Attacks by Hampton Paulk
• (47:25) - Cool Reads: Architecture for Flow and Domain-driven Transformation
• (48:40) - The Minnesota Long Goodbye

News

• Bun: Bun is joining Anthropic 
• ViteLand: Vite 8 Beta: The Rolldown-powered Vite
• ViteLand: Announcing Oxlint Type-Aware Linting Alpha
• ViteLand: The first Oxfmt alpha was released
• ViteLand: tsdown got a new release
• Node.js PSA: Prepare for Monday, December 15, 2025 Security Releases
• Cloudflare: Cloudflare outage on December 5, 2025
• Security: npm Sees Surge of Auto-Generated “elf-stats” Packages Published Every Two Minutes via (Sarah Gooding)
• Security: SVG Filters - Clickjacking 2.0 Ʊ lyra's epic blog 

React2Shell Resources

• React2Shell Exploit: Critical Security Vulnerability in React Server Components
• Deep Dive: https://react2shell.com/
• Next.js: Security Advisory: CVE-2025-66478
• Deno Blog: React Server Functions / Next.js Vulnerability: Deno Deploy users protected 
• Explainer: this is the worst case scenario by LowLevelEd

From the Community

• Temitope Oyedele: tRPC vs oRPC: Which is better for your next TypeScript project, and why?
• John Franey: How to test a Vue composable with TypeScript · JohnFraney.ca
• Fabian Hiller: Formisch for React just released (quietly) – the form library that powers SolidJS 
• Deno: Build a browser game in Deno 
• Hybrist: Node support for #/ wildcard (via Rob Palmer)
• Bjorn Lu: TSConfig Grimoire (via Rob Palmer)
• Wooorm: How is ESM from Common going?
• Astro: Next release of Astro will support Vite Environment API

Cool Links

• Cool Read: Godot Shaders Bible and Ghastly in Desmos by Fabrizio Espindola
• Cool Watch: Cancellation Tokens with Stephen Toub
• Cool Game: Preserving code that shaped generations: Zork I, II, and III go Open Source 
• Cool Tool: Helion Engine, a modern DOOM engine in C#
• Cool Watch: Modern .NET Serialization Attacks by Hampton Paulk
• Cool Reads: Architecture for Flow and Domain-driven Transformation

Music
Seahorse Dreams by Kubbi (Spotify)