The Wasm W3C Community Group and Working Group released Wasm version 3 on Thursday. In the announcement, Wasm contributor and programming language researcher and engineer Andreas Rosberg called it “a substantially larger update,” which includes features in the making for six or eight years.

Of particular interest to frontend developers will be a new offering: WebAssembly (Wasm) now has a more efficient way to handle JavaScript strings.

Previously, Wasm received JavaScript string values, but treated them as external references (externrefs). A new extension to the JavaScript API provides a primitive library of functions that can be imported into a Wasm module. These functions allow Wasm to directly access and manipulate JavaScript string values. That means better support for compiling high-level programming languages.

“Enabled by this, we have seen various new languages popping up to target Wasm, such as Java, OCaml, Scala, Kotlin, Scheme or Dart, all of which use the new GC [garbage collection] feature,” Rosberg wrote.

Some of the major updates include:

• 64-bit address space: “Memories and tables can now be declared to use i64 as their address type instead of just i32,” Rosberg wrote. “That expands the available address space of Wasm applications from 4 gigabytes to (theoretically) 16 exabytes, to the extent that physical hardware allows.”
• Multiple memories: Wasm applications have always been able to use multiple memory objects simultaneously, but it was only possible by declaring and accessing each of them in separate modules, explained Rosberg. Now a single module can declare, meaning define or import, multiple memories and directly access them, and that includes directly copying data between them.
• Garbage collection: There’s support for a new form of storage that is automatically managed by the Wasm runtime via a garbage collector. “Staying true to the spirit of Wasm as a low-level language, Wasm GC is low-level as well: A compiler targeting Wasm can declare the memory layout of its runtime data structures in terms of struct and array types, plus unboxed tagged integers, whose allocation and lifetime is then handled by Wasm,” Rosberg wrote. “But that’s it. Everything else, such as engineering suitable representations for source-language values, including implementation details like method tables, remains the responsibility of compilers targeting Wasm.”

2025 State of CSS Survey Shows CSS Use Evolving

“This is not the CSS we used to know (and that’s a good thing),” wrote web developer Amit Sheet in the conclusion section of the “2025 State of CSS” survey. “Looking through the survey results, it’s clear that CSS is no longer ‘just’ a styling language.”

CSS is taking on a larger role in layouts, motion, compatibility and accessibility, he added, thus redefining CSS’s identity as a modern, expressive toolset that is finally getting the recognition it deserves.

The survey, which Devographics ran from June 1 to July 15, collected 5,506 responses. Out of the 3,985 who answered the question about CSS usage, 82% said they used CSS for web apps, followed by blogs or other text-heavy usage at 50%. Respondents were allowed to choose multiple options.

The survey also queried respondents about CSS pain points, missing features and browser incompatibility. There were also more positive questions about the best features and “game changing” features, with grid topping that list.

Another npm Packages Attack

There was another attack on npm packages this week, according to GitGuardian, a code security platform for the DevOps. It was called the Shai-Hulud attack, for the GitHub repository where it was uploaded under the victim’s organization and a file named data.json.

This follows an npm attack earlier this month that targeted 18 popular packages with more than 2 billion downloads per week.

This week’s attack targeted the @ctrl/tinycolor and 150 other npm packages, according to GitGuardian.

The compromised packages’ structure has been detailed in blog posts by socket.dev and StepSecurity. GitGuardian’s cybersecurity research team investigated this attack to evaluate its impact from the leaked secret perspective.

GitGuardian observed the related GitHub activity from Sept. 15 at 03:46 to Sept. 16 at 13:42 and counted 226 malicious GitHub action workflow files pushed and 44 secret collection data.json files.

“Only 46 users unwillingly published content to GitHub through this attack,” the security firm posted. “This limited number indicates the attack was quickly contained.”

Still, a total of 278 secrets had been publicly leaked on GitHub as a result of this campaign, they noted, with 90 collected from the compromised local systems and uploaded to a data.json file, while the 188 others were compromised by the malicious workflows.

GitGuardian wrote that these attack methods are a growing threat to the open source ecosystem.

“This attack demonstrates the continued evolution of supply chain threats, following established patterns from GhostActions, s1ngularity, and tj-actions campaigns,” GitGuardian wrote. “Threat actors have developed a reliable and effective approach that they continue to refine and deploy.”

React Router Gets Middleware Feature

React Router 7.9.0 released Thursday, marking stable the “long-awaited” middleware feature.

“Middleware was needed as a way to run route logic sequentially, prior to (and after!) running loaders in parallel,” explained Remix staff developer Matt Brophy. “We knew this early on and opened an RFC [request for comment] back in late 2022, which quickly became the most upvoted proposal in the project. We even did an initial implementation in early 2023 …”

But the middleware in the existing data-loading architecture “wasn’t actually as useful as it appeared,” added Brophy. It created more problems than it solved because it ran on every request, thus not reducing the number of requests to the database. To fix that, the team had to make a few larger, underlying architectural changes to create a middleware API in React Router. This release marks the stabilization of the middleware-related APIs.

“We’re excited to finally stabilize these APIs in 7.9.0 behind the future.v8_middleware flag and can’t wait to see the interesting patterns folks come up with when using them.” Brophy wrote, adding that there are already useful middlewares available in remix-utils.

Elixir Global Meetups Coming

Elixir is a programming language that can build scalable applications, in particular for web development using the Phoenix framework. It can be used on the frontend as an alternative to JavaScript.

Each year, Global Elixir Meetups (GEMS) are held to bring together Elixir developers for a full week of talks. This year, the event will be Sept. 22-28. These are live events, held at cities throughout the world. Check out the website to find an event near you or sign up to host one.

GEMs is the creation of Software Mansion, who are Elixir experts, multimedia innovators and software development consultants.

TRENDING STORIES