Skip to main content
Alex O'Callaghan
On this page
All writing

May Reading List

2 June 20265 min read816 words
reading-list

Here's the May edition of interesting things I've read this month, you can also read last month's post here.

More compromised npm packages

Another month and more supply chain attacks. Various TanStack packages were compromised in a "Mini Shai-Hulud" attack. Tanner Linsley shared a detailed postmortem describing how the attack happened through a GitHub actions configuration vulnerability. Later another 317 npm packages were compromised using the same credential harvesting script that self-replicates across packages using any npm credentials it finds.

It's another strong reminder to take steps to harden your supply chain security. We've upgraded all of our projects to the recently released pnpm v11 which sets a minimumReleaseAge of 1 day by default. Most of these attacks are discovered quickly and some amount of buffer time should help protect against these attacks.

In a similar security vein, I came across Varlock this month - an interesting tool for giving agents context of what secrets are available but preventing access to the actual secret values. Making sure secrets aren't sitting in plaintext on your machine can also help protect against credential harvesting attacks if you ever do pull one of these packages in.

Model training & Opus 4.8

Anthropic published a blog post about changes to their alignment training approaches, detailing how training Claude on the principles and reasoning behind ethical choices has improved agentic alignment. It's interesting to think about how this might apply to skills we create too, where just listing specific examples of desired behaviour isn't enough for cases when the agent encounters a novel situation.

OpenAI published a funny post about "Where the goblins came from". Training the "nerdy" personality feature unintentionally gave high reward to creature metaphors, to the point where they ended up having to add a system prompt to tell the model not to talk about goblins.

Anthropic also released Claude Opus 4.8 at the end of the month, just over a month after 4.7.

Building with agents

Addy Osmani published a post about different strategies for long running agents, although I'm still not convinced of this strategy for writing production code.

Birgitta Böckeler's post on Maintainability sensors for coding agents is a good read on some of the different guardrails and checks that are essential for enabling self-correction in agents.

I also read Helio Medeiros' post on using DORA metrics to measure the impact of AI adoption. It's a similar approach to what I'm trying to do systematically at Mintel through my work on building a retrospective agent.

Interesting thoughts

Mark Erikson shared a long post about his experience moving through scepticism, fear and adoption of AI coding tools.

Tuhin Nair wrote a post about senior developers communicating their expertise. There's some good points in there that I agree with about how engineers think and communicate to the rest of the business. The recommendation of a "speed" system for rapid experimentation might be appealing, but the details of how you have enough guardrails around that in practice and how much extra work untangling the "speed" version that's already been sold to customers are missing.

Lalit Maganti shared a post about not answering the first question. I think it's very relatable to anyone working on a platform team or building tools for other engineers.

Web platform and frontend

The Chrome team have published a post on Declarative Partial Updates. The proposal is an attempt to make out-of-order HTML streaming and more efficient HTML insertion part of the web platform. Essentially making the islands architecture a first-class citizen of the web.

Storybook 10.4 was released. The most interesting thing to me was the addition of first-class support for TanStack React.

Yangshun Tay writes about how frontend development is changing, with recommendations of where frontend developers should focus their learning and development.

I also discovered D2. I've been using Mermaid for diagrams on my blog but had trouble with custom styling, D2 looks like a powerful alternative I'd like to try out.

Interesting tech reads

How 2004 RuneScape fit a multiplayer RPG into 56k dial-up is a technical deep dive on how the 2004 RuneScape client was designed for efficient client-server communication from a Java applet in the browser. An interesting read, one of my early gaming memories and a first introduction to how powerful the web could be.

Netflix technology blog published a post about building a real-time service map. The approach is interesting, even if light on technical implementation and quite AI generated. It's relatable as I'm trying to get agents to be able to traverse across systems at work, and realising how many cross-system dependencies aren't clearly documented anywhere and how much of that knowledge is just in people's heads.

And finally a short post from Google's blog about adding context to code review responses. Some very helpful guidance on how you should respond to code review feedback, providing some context on how or why you addressed the feedback.

Related posts

Apr 2026 · 5 min

Hardening npm dependency security

tooling

May 2026 · 5 min

Measuring before tooling: where AI investment in engineering should go

ai-agents

Apr 2026 · 6 min

April Reading List

reading-listai-agentstoolingdesign-systems

Share

Get new posts by email

Occasional notes on platform engineering, AI agents and frontend architecture. No spam, unsubscribe anytime.