Kevin Deng
@sxzz.dev
https://github.com/sxzz • 🏳️🌈 Gen Z • indie OSS developer sponsored by @voidzero.dev
@vuejs.org @vite.dev @vue-macros.dev @vueuse.org @unjs.io @rolldown.rs elk.zone
@vuejs.org @vite.dev @vue-macros.dev @vueuse.org @unjs.io @rolldown.rs elk.zone
When I said that, I had no idea what would happen next:
"I think we can use fdir and picomatch to create a new library for lightweight glob, enhancing maintainability."
"I think we can use fdir and picomatch to create a new library for lightweight glob, enhancing maintainability."
tinyglobby is a great success, and has shown us how much we can improve perf for everyone. here's some of the story!
big thanks to @superchupu.dev and @benmccann.com for putting so much work into this and the migrations/adoption. we're lucky to have both in the @e18e.dev community 💙
big thanks to @superchupu.dev and @benmccann.com for putting so much work into this and the migrations/adoption. we're lucky to have both in the @e18e.dev community 💙
tinyglobby: a success story in modernization and performance
The story of tinyglobby, one of the e18e community's most successful projects
e18e.dev
November 12, 2025 at 4:29 PM
When I said that, I had no idea what would happen next:
"I think we can use fdir and picomatch to create a new library for lightweight glob, enhancing maintainability."
"I think we can use fdir and picomatch to create a new library for lightweight glob, enhancing maintainability."
tsdown v0.16.0 is out now, featuring Vite DevTools integration!
Just install `@vitejs/devtools` and run `tsdown --debug` for an early preview.
Big thanks to @antfu.me, @arlo7.me, and @hyf0.bsky.social for their help!
Just install `@vitejs/devtools` and run `tsdown --debug` for an early preview.
Big thanks to @antfu.me, @arlo7.me, and @hyf0.bsky.social for their help!
November 4, 2025 at 12:44 PM
tsdown v0.16.0 is out now, featuring Vite DevTools integration!
Just install `@vitejs/devtools` and run `tsdown --debug` for an early preview.
Big thanks to @antfu.me, @arlo7.me, and @hyf0.bsky.social for their help!
Just install `@vitejs/devtools` and run `tsdown --debug` for an early preview.
Big thanks to @antfu.me, @arlo7.me, and @hyf0.bsky.social for their help!
😱 tsdown just crossed 1M monthly downloads! 🚀
October 21, 2025 at 10:54 AM
😱 tsdown just crossed 1M monthly downloads! 🚀
Reposted by Kevin Deng
Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify
performance improvements and JIT pipeline optimizations.
This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!
nodejs.org/en/blog/rele...
performance improvements and JIT pipeline optimizations.
This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!
nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
October 15, 2025 at 5:22 PM
Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify
performance improvements and JIT pipeline optimizations.
This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!
nodejs.org/en/blog/rele...
performance improvements and JIT pipeline optimizations.
This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!
nodejs.org/en/blog/rele...
Reposted by Kevin Deng
Watch @sxzz.dev demonstrate tsdown, the elegant library bundler. The key features, design philosophy, and how it simplifies/streamlines library development.
Full video in comment ⏬
Full video in comment ⏬
October 17, 2025 at 2:30 AM
Watch @sxzz.dev demonstrate tsdown, the elegant library bundler. The key features, design philosophy, and how it simplifies/streamlines library development.
Full video in comment ⏬
Full video in comment ⏬
Reposted by Kevin Deng
The Unified Toolchain for the Web
We are thrilled to announce Vite+: A unified, Rust-powered toolchain and drop-in upgrade for @vite_js.
Read the full vision and learn about our sustainable licensing model (free for individuals, OSS & small businesses).
voidzero.dev/posts/announ...
We are thrilled to announce Vite+: A unified, Rust-powered toolchain and drop-in upgrade for @vite_js.
Read the full vision and learn about our sustainable licensing model (free for individuals, OSS & small businesses).
voidzero.dev/posts/announ...
Announcing Vite+
Introducing Vite+, a unified toolchain for JavaScript.
voidzero.dev
October 13, 2025 at 5:35 PM
The Unified Toolchain for the Web
We are thrilled to announce Vite+: A unified, Rust-powered toolchain and drop-in upgrade for @vite_js.
Read the full vision and learn about our sustainable licensing model (free for individuals, OSS & small businesses).
voidzero.dev/posts/announ...
We are thrilled to announce Vite+: A unified, Rust-powered toolchain and drop-in upgrade for @vite_js.
Read the full vision and learn about our sustainable licensing model (free for individuals, OSS & small businesses).
voidzero.dev/posts/announ...
Reposted by Kevin Deng
Securing my npm publish workflow! 🔐 Migrating all my packages from local releases to a CI process using npm's Trusted Publishing (Provenance).
It's incredibly easy with @sxzz.dev reusable GitHub workflow. Pure magic! ✨
github.com/sxzz/workflo...
#npm #GitHubActions #CI #Security #OpenSource
It's incredibly easy with @sxzz.dev reusable GitHub workflow. Pure magic! ✨
github.com/sxzz/workflo...
#npm #GitHubActions #CI #Security #OpenSource
workflows/.github/workflows at main · sxzz/workflows
A collection of reusable GitHub Actions workflows for TypeScript projects. - sxzz/workflows
github.com
October 12, 2025 at 8:14 PM
Securing my npm publish workflow! 🔐 Migrating all my packages from local releases to a CI process using npm's Trusted Publishing (Provenance).
It's incredibly easy with @sxzz.dev reusable GitHub workflow. Pure magic! ✨
github.com/sxzz/workflo...
#npm #GitHubActions #CI #Security #OpenSource
It's incredibly easy with @sxzz.dev reusable GitHub workflow. Pure magic! ✨
github.com/sxzz/workflo...
#npm #GitHubActions #CI #Security #OpenSource
Reposted by Kevin Deng
October 11, 2025 at 1:09 PM
Reposted by Kevin Deng
Glad to see TypeScript's Isolated Declarations feature already mentioned in three talks this morning at @viteconf.org 👍
It's one of the reasons tsdown and Oxc can generate Type Declarations so quickly ⚡
The main ID developer @titiancernicova.bsky.social is here if you wish to meet him.
It's one of the reasons tsdown and Oxc can generate Type Declarations so quickly ⚡
The main ID developer @titiancernicova.bsky.social is here if you wish to meet him.
Always happy to see something you worked on out in the wild! Love to see isolated declarations being used 😊. #viteconf.amsterdam
October 9, 2025 at 9:55 AM
Glad to see TypeScript's Isolated Declarations feature already mentioned in three talks this morning at @viteconf.org 👍
It's one of the reasons tsdown and Oxc can generate Type Declarations so quickly ⚡
The main ID developer @titiancernicova.bsky.social is here if you wish to meet him.
It's one of the reasons tsdown and Oxc can generate Type Declarations so quickly ⚡
The main ID developer @titiancernicova.bsky.social is here if you wish to meet him.
Reposted by Kevin Deng
Reposted by Kevin Deng
we now have some new @e18e.dev docs on best practice of publishing npm packages
this documents the recommended basics for a secure publish workflow and gives some pointers for further security/tools/etc
this is a _very_ opinionated subject, so do ping me if you have feedback!
this documents the recommended basics for a secure publish workflow and gives some pointers for further security/tools/etc
this is a _very_ opinionated subject, so do ping me if you have feedback!
e18e (Ecosystem Performance) - Publishing Packages
Best practices on publishing npm packages securely using GitHub Actions.
e18e.dev
October 2, 2025 at 3:41 PM
we now have some new @e18e.dev docs on best practice of publishing npm packages
this documents the recommended basics for a secure publish workflow and gives some pointers for further security/tools/etc
this is a _very_ opinionated subject, so do ping me if you have feedback!
this documents the recommended basics for a secure publish workflow and gives some pointers for further security/tools/etc
this is a _very_ opinionated subject, so do ping me if you have feedback!
October 1, 2025 at 2:45 AM
Do you prefer `.mjs` or `.js` for Node libraries?
I used to favor `.js`, but `.mjs` seems to improve toolchain performance. Since Node will support CJS for the foreseeable future, we need an easier way to tell ESM and CJS apart.
github.com/rolldown/tsd...
I used to favor `.js`, but `.mjs` seems to improve toolchain performance. Since Node will support CJS for the foreseeable future, we need an easier way to tell ESM and CJS apart.
github.com/rolldown/tsd...
feat!: defaults `fixedExtension` to true when platform is `node` by sxzz · Pull Request #517 · rolldown/tsdown
Description
Defaults fixedExtension to true when platform is node.
Linked Issues
Additional context
github.com
September 28, 2025 at 11:02 PM
Do you prefer `.mjs` or `.js` for Node libraries?
I used to favor `.js`, but `.mjs` seems to improve toolchain performance. Since Node will support CJS for the foreseeable future, we need an easier way to tell ESM and CJS apart.
github.com/rolldown/tsd...
I used to favor `.js`, but `.mjs` seems to improve toolchain performance. Since Node will support CJS for the foreseeable future, we need an easier way to tell ESM and CJS apart.
github.com/rolldown/tsd...
Reposted by Kevin Deng
POV on how you set up Trusted Publisher for npm as a maintainer of a giant monorepo... thanks npm for being... so manual...
Thanks @sxzz.dev for the userscript to make things a lot easier!
github.com/sxzz/userscr...
I also made a small script to open the tabs:
github.com/antfu/open-p...
Thanks @sxzz.dev for the userscript to make things a lot easier!
github.com/sxzz/userscr...
I also made a small script to open the tabs:
github.com/antfu/open-p...
September 23, 2025 at 1:03 AM
POV on how you set up Trusted Publisher for npm as a maintainer of a giant monorepo... thanks npm for being... so manual...
Thanks @sxzz.dev for the userscript to make things a lot easier!
github.com/sxzz/userscr...
I also made a small script to open the tabs:
github.com/antfu/open-p...
Thanks @sxzz.dev for the userscript to make things a lot easier!
github.com/sxzz/userscr...
I also made a small script to open the tabs:
github.com/antfu/open-p...
Simply use this plugin to make your import statements more efficient, with no configuration required
github.com/sxzz/rolldow...
github.com/sxzz/rolldow...
September 19, 2025 at 6:37 PM
Simply use this plugin to make your import statements more efficient, with no configuration required
github.com/sxzz/rolldow...
github.com/sxzz/rolldow...
TIL: For better performance, avoid importing TypeScript compiler and Babel packages as ESM
😱 use `require()` instead!
😱 use `require()` instead!
September 18, 2025 at 7:54 PM
TIL: For better performance, avoid importing TypeScript compiler and Babel packages as ESM
😱 use `require()` instead!
😱 use `require()` instead!
1. Never manually enter your GitHub or npm password; use a Passkey instead.
2. Enable npm 2FA for both authorization and publishing.
3. Use trusted publishing and remove all npm CI tokens.
4. Only invite maintainers who follow these security practices.
2. Enable npm 2FA for both authorization and publishing.
3. Use trusted publishing and remove all npm CI tokens.
4. Only invite maintainers who follow these security practices.
All the packages affected by this attack had not enabled trusted publishing and provenance.
- The top four packages were all impacted.
- More than half of the top ten packages were affected.
github.com/sxzz/npm-top...
- The top four packages were all impacted.
- More than half of the top ten packages were affected.
github.com/sxzz/npm-top...
September 8, 2025 at 5:01 PM
1. Never manually enter your GitHub or npm password; use a Passkey instead.
2. Enable npm 2FA for both authorization and publishing.
3. Use trusted publishing and remove all npm CI tokens.
4. Only invite maintainers who follow these security practices.
2. Enable npm 2FA for both authorization and publishing.
3. Use trusted publishing and remove all npm CI tokens.
4. Only invite maintainers who follow these security practices.
All the packages affected by this attack had not enabled trusted publishing and provenance.
- The top four packages were all impacted.
- More than half of the top ten packages were affected.
github.com/sxzz/npm-top...
- The top four packages were all impacted.
- More than half of the top ten packages were affected.
github.com/sxzz/npm-top...
September 8, 2025 at 4:24 PM
All the packages affected by this attack had not enabled trusted publishing and provenance.
- The top four packages were all impacted.
- More than half of the top ten packages were affected.
github.com/sxzz/npm-top...
- The top four packages were all impacted.
- More than half of the top ten packages were affected.
github.com/sxzz/npm-top...
Reposted by Kevin Deng
🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week.
Details: socket.dev/blog/npm-aut...
Details: socket.dev/blog/npm-aut...
npm Author Qix Compromised in Major Supply Chain Attack - So...
npm author Qix’s account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.
socket.dev
September 8, 2025 at 3:23 PM
🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week.
Details: socket.dev/blog/npm-aut...
Details: socket.dev/blog/npm-aut...
taze now includes npm provenance downgrade checks to help prevent attacks similar to those previously experienced by Rspack.
August 21, 2025 at 7:12 AM
taze now includes npm provenance downgrade checks to help prevent attacks similar to those previously experienced by Rspack.
To enhance security of publishing npm packages locally, I’ve enabled 2FA for publishing `npm profile enable-2fa auth-and-writes`
To make the process both secure and convenient, especially for 1Password users, I created a package that automatically enters the OTP code for you.
github.com/sxzz/unotp
To make the process both secure and convenient, especially for 1Password users, I created a package that automatically enters the OTP code for you.
github.com/sxzz/unotp
August 20, 2025 at 2:55 PM
To enhance security of publishing npm packages locally, I’ve enabled 2FA for publishing `npm profile enable-2fa auth-and-writes`
To make the process both secure and convenient, especially for 1Password users, I created a package that automatically enters the OTP code for you.
github.com/sxzz/unotp
To make the process both secure and convenient, especially for 1Password users, I created a package that automatically enters the OTP code for you.
github.com/sxzz/unotp
Reposted by Kevin Deng
⚡ Speaker highlight: Kevin Deng, Creator of tsdown
When it comes to publishing and packing libraries, there are tons of things to consider.
Luckily, @sxzz.dev built an all-in-one solution! Meet tsdown and learn about automatic dts generation, dependency analysis, multi-format output and more!
When it comes to publishing and packing libraries, there are tons of things to consider.
Luckily, @sxzz.dev built an all-in-one solution! Meet tsdown and learn about automatic dts generation, dependency analysis, multi-format output and more!
August 18, 2025 at 4:01 PM
⚡ Speaker highlight: Kevin Deng, Creator of tsdown
When it comes to publishing and packing libraries, there are tons of things to consider.
Luckily, @sxzz.dev built an all-in-one solution! Meet tsdown and learn about automatic dts generation, dependency analysis, multi-format output and more!
When it comes to publishing and packing libraries, there are tons of things to consider.
Luckily, @sxzz.dev built an all-in-one solution! Meet tsdown and learn about automatic dts generation, dependency analysis, multi-format output and more!