Jovi 🐨
@jovidecroock.com
🇧🇪 | he/him | Software Engineer @Shopify | Preact core team | passionate about DX & web perf | opinions are my own
Reposted by Jovi 🐨
Created a TanStack AI integration for Preact, wondering whether we should change this to be signals rather than hooks though🤔
github.com/TanStack/ai/...
github.com/TanStack/ai/...
Add preact integration by JoviDeCroock · Pull Request #180 · TanStack/ai
🎯 Changes
This adds a preact-integration, this is largely adapted from the react tests and implementation. I was considering adding a signals based one as well but wanted to see whether the appeal ...
github.com
December 26, 2025 at 8:54 AM
Created a TanStack AI integration for Preact, wondering whether we should change this to be signals rather than hooks though🤔
github.com/TanStack/ai/...
github.com/TanStack/ai/...
Reposted by Jovi 🐨
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
It's been a fun few days just coding on random projects and solving problems that I face on a daily basis 😅
December 10, 2025 at 7:13 AM
It's been a fun few days just coding on random projects and solving problems that I face on a daily basis 😅
The browser has everything you need, why not everything needs to be server-rendered and how preloading can alleviate complexity.
jovidecroock.com/blog/platform
jovidecroock.com/blog/platform
The Browser Has Everything You Need
Stop treating SPAs and SSR as opposing paradigms. The browser already loads resources in parallel—you just have to use it.
jovidecroock.com
December 9, 2025 at 7:19 PM
The browser has everything you need, why not everything needs to be server-rendered and how preloading can alleviate complexity.
jovidecroock.com/blog/platform
jovidecroock.com/blog/platform
Reposted by Jovi 🐨
From the thread: "Attacks from bot compromised Next.js assets spiked on 2025-12-05 from the usual 100 IP baseline to close to a 1000."
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors:
dashboard.shadowserver.org/statistics/h...
dashboard.shadowserver.org/statistics/h...
December 8, 2025 at 6:12 PM
From the thread: "Attacks from bot compromised Next.js assets spiked on 2025-12-05 from the usual 100 IP baseline to close to a 1000."
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
Reposted by Jovi 🐨
RSCs were a mistake.
I went back to a client-side only solution using Preact for my latest project because the complexity you buy into is simply not worth the benefit of RSCs.
I went back to a client-side only solution using Preact for my latest project because the complexity you buy into is simply not worth the benefit of RSCs.
December 4, 2025 at 9:34 AM
RSCs were a mistake.
I went back to a client-side only solution using Preact for my latest project because the complexity you buy into is simply not worth the benefit of RSCs.
I went back to a client-side only solution using Preact for my latest project because the complexity you buy into is simply not worth the benefit of RSCs.
Reposted by Jovi 🐨
this is nuts, non-dismissible full page message, social meta title swapped to CVE-2025-55182
December 7, 2025 at 11:23 AM
this is nuts, non-dismissible full page message, social meta title swapped to CVE-2025-55182
Reposted by Jovi 🐨
I actually love this disclaimer
November 21, 2025 at 12:08 PM
I actually love this disclaimer
On a totally different subject, Belgium has increased VAT on gym membership and other sport related stuff. All while we know that exercise increases lifespan and logically extends to that reducing social security costs as people are healthier... Anything to increase taxes I guess...
November 27, 2025 at 4:50 PM
On a totally different subject, Belgium has increased VAT on gym membership and other sport related stuff. All while we know that exercise increases lifespan and logically extends to that reducing social security costs as people are healthier... Anything to increase taxes I guess...
To put this out there, last week I've stepped down as a maintainer of GraphQL-JS.
I've decided for myself that I spend a lot of time on OSS and I want to spend that time on projects where I can feel impactful. I wish my fellow ex-maintainers on the project the best of luck!
I've decided for myself that I spend a lot of time on OSS and I want to spend that time on projects where I can feel impactful. I wish my fellow ex-maintainers on the project the best of luck!
November 27, 2025 at 4:10 PM
To put this out there, last week I've stepped down as a maintainer of GraphQL-JS.
I've decided for myself that I spend a lot of time on OSS and I want to spend that time on projects where I can feel impactful. I wish my fellow ex-maintainers on the project the best of luck!
I've decided for myself that I spend a lot of time on OSS and I want to spend that time on projects where I can feel impactful. I wish my fellow ex-maintainers on the project the best of luck!
Reposted by Jovi 🐨
have been using preact for a side project recently and am thoroughly enjoying it
the signals dev tools are super nice too. would love to see similar exist for other frameworks, even just to visualise the signal networks/flows
the signals dev tools are super nice too. would love to see similar exist for other frameworks, even just to visualise the signal networks/flows
November 23, 2025 at 10:22 AM
have been using preact for a side project recently and am thoroughly enjoying it
the signals dev tools are super nice too. would love to see similar exist for other frameworks, even just to visualise the signal networks/flows
the signals dev tools are super nice too. would love to see similar exist for other frameworks, even just to visualise the signal networks/flows
Reposted by Jovi 🐨
one downside of LLMs in OSS is _huge_ walls of text in issues, where the text does technically make sense but reads like a student trying to meet a character limit 😅
November 21, 2025 at 9:27 AM
one downside of LLMs in OSS is _huge_ walls of text in issues, where the text does technically make sense but reads like a student trying to meet a character limit 😅
Never thought I'd experience the low of talking to a user, I mean LLM... For an entire issue. This is just beyond hopeless and a lot of my interactions have devolved into this...
github.com/preactjs/sig...
github.com/preactjs/sig...
Signals no longer auto-unwrap in JSX attributes (require .value) · Issue #801 · preactjs/signals
Signals no longer auto-unwrap in JSX attributes for boolean props Check if updating to the latest version resolves the issue Environment I am using @preact/signals-core I am using @preact/signals I...
github.com
November 20, 2025 at 8:57 PM
Never thought I'd experience the low of talking to a user, I mean LLM... For an entire issue. This is just beyond hopeless and a lot of my interactions have devolved into this...
github.com/preactjs/sig...
github.com/preactjs/sig...
My favorite AI benchmark nowadays is to take a semi-complex bug from the Preact/Signals repository (or an intersection thereof) and ask it to write a failing test.
Thus far I haven't been replaced as an OSS maintainer, not even by Gemini 3
Thus far I haven't been replaced as an OSS maintainer, not even by Gemini 3
November 18, 2025 at 5:53 PM
My favorite AI benchmark nowadays is to take a semi-complex bug from the Preact/Signals repository (or an intersection thereof) and ask it to write a failing test.
Thus far I haven't been replaced as an OSS maintainer, not even by Gemini 3
Thus far I haven't been replaced as an OSS maintainer, not even by Gemini 3
If taxing billionaires won’t work then taxing us won’t either, right?
November 14, 2025 at 7:57 AM
If taxing billionaires won’t work then taxing us won’t either, right?
I've felt a tendency of issues to be AI authored lately, they overly bear the frustration of the user pretty frequently and the reproductions are inaccurate a lot of the time. Has anyone else noticed this?
November 10, 2025 at 4:14 PM
I've felt a tendency of issues to be AI authored lately, they overly bear the frustration of the user pretty frequently and the reproductions are inaccurate a lot of the time. Has anyone else noticed this?
Reposted by Jovi 🐨
Vibe coding PRs - STOP please...
November 10, 2025 at 5:02 AM
Vibe coding PRs - STOP please...
Well, the last two months of 2025 are there and... I haven't published anything but open-source stuff.... Surely 2026 will be the year... Right? Right?
Me: 2025 is going to be the year I release some small product
Meanwhile: 2 finished things
Me: Ah they probably suck, let's keep it private
Meanwhile: 2 finished things
Me: Ah they probably suck, let's keep it private
November 7, 2025 at 8:22 AM
Well, the last two months of 2025 are there and... I haven't published anything but open-source stuff.... Surely 2026 will be the year... Right? Right?
Reposted by Jovi 🐨
Open source never stops: graphql-js v16.12.0 was just released 🚀
@jovidecroock.com is bringing the latest spec addition to the stable branch, such as operation descriptions and schema coordinates.
Check it out 👇
github.com/graphql/gra...
@jovidecroock.com is bringing the latest spec addition to the stable branch, such as operation descriptions and schema coordinates.
Check it out 👇
github.com/graphql/gra...
Release 16.12.0 · graphql/graphql-js
v16.12.0 (2025-11-01)
New Feature 🚀
#4482 Implement changes for executable descriptions (@JoviDeCroock)
#4493 Backport schema coordinates (@JoviDeCroock)
Bug Fix 🐞
#4392 Catch unhandled exceptio...
github.com
November 1, 2025 at 8:03 PM
Open source never stops: graphql-js v16.12.0 was just released 🚀
@jovidecroock.com is bringing the latest spec addition to the stable branch, such as operation descriptions and schema coordinates.
Check it out 👇
github.com/graphql/gra...
@jovidecroock.com is bringing the latest spec addition to the stable branch, such as operation descriptions and schema coordinates.
Check it out 👇
github.com/graphql/gra...
Reposted by Jovi 🐨
Here's a toy app using
@preactjs.com
+ signals and
@nitro.build
(to avoid the browser's CORS error)
It's an example on one of the ways you can use signals and how most of the App logic can be changed to just listening to values as compared to dealing with hooks 1/n
@preactjs.com
+ signals and
@nitro.build
(to avoid the browser's CORS error)
It's an example on one of the ways you can use signals and how most of the App logic can be changed to just listening to values as compared to dealing with hooks 1/n
October 25, 2025 at 4:56 PM
Here's a toy app using
@preactjs.com
+ signals and
@nitro.build
(to avoid the browser's CORS error)
It's an example on one of the ways you can use signals and how most of the App logic can be changed to just listening to values as compared to dealing with hooks 1/n
@preactjs.com
+ signals and
@nitro.build
(to avoid the browser's CORS error)
It's an example on one of the ways you can use signals and how most of the App logic can be changed to just listening to values as compared to dealing with hooks 1/n
I think I found a chromium bug - when using moveBefore on a focussed input where you have a selection range it loses its selection range.
Chrome bug: issues.chromium.org/issues/45482...
Chrome bug: issues.chromium.org/issues/45482...
Chromium
issues.chromium.org
October 24, 2025 at 7:13 PM
I think I found a chromium bug - when using moveBefore on a focussed input where you have a selection range it loses its selection range.
Chrome bug: issues.chromium.org/issues/45482...
Chrome bug: issues.chromium.org/issues/45482...
I forgot the golden rule of "Don't read the comments if someone posts your article to Hackernews and it hits frontpage"....
Signals flip the script. React renders where you create state. Signals render where you use state. Same state, but you are pushed into patterns that will lead to better performance by default. One paradigm shift away from memoization hell. 🎯
www.jovidecroock.com/blog/state-v...
www.jovidecroock.com/blog/state-v...
State and rerenders
Exploring the paradigm shift from 'render where you create state' to 'render where you use state'.
www.jovidecroock.com
October 20, 2025 at 3:56 PM
I forgot the golden rule of "Don't read the comments if someone posts your article to Hackernews and it hits frontpage"....
Signals flip the script. React renders where you create state. Signals render where you use state. Same state, but you are pushed into patterns that will lead to better performance by default. One paradigm shift away from memoization hell. 🎯
www.jovidecroock.com/blog/state-v...
www.jovidecroock.com/blog/state-v...
State and rerenders
Exploring the paradigm shift from 'render where you create state' to 'render where you use state'.
www.jovidecroock.com
October 18, 2025 at 2:17 PM
Signals flip the script. React renders where you create state. Signals render where you use state. Same state, but you are pushed into patterns that will lead to better performance by default. One paradigm shift away from memoization hell. 🎯
www.jovidecroock.com/blog/state-v...
www.jovidecroock.com/blog/state-v...
Reposted by Jovi 🐨
got laid off due to restructuring :(
i’m now available for mid+ frontend developer/software engineering positions
in the meantime, we’re back to building the future and fun on the web on atproto :)
i’m now available for mid+ frontend developer/software engineering positions
in the meantime, we’re back to building the future and fun on the web on atproto :)
October 17, 2025 at 1:46 AM
got laid off due to restructuring :(
i’m now available for mid+ frontend developer/software engineering positions
in the meantime, we’re back to building the future and fun on the web on atproto :)
i’m now available for mid+ frontend developer/software engineering positions
in the meantime, we’re back to building the future and fun on the web on atproto :)