jun 18, 2026
5 links from the engineering internet.
node.js ships security releases across v26, v24, and v22 fixing 11 cves
the runtime patches 11 cves at once, including high-severity tls hostname normalization and webcrypto cipher output length checks, plus http/2 memory growth, proxy credential redaction, and permission-model fixes. bundles openssl 3.5.7 and undici 7.28.0.
oxc 0.137.0 reworks estree config and improves minifier tree-shaking
the rust javascript toolchain makes estree typescript handling a runtime option instead of compile-time, a breaking api change, and teaches the minifier to tree-shake typed arrays and set/map literals plus inline const reads.
nokogiri 1.19.4 vendors libxml2 2.14.6 with html5 parser behavior changes
the ruby xml/html library bumps vendored libxml2 to 2.14.6 from 2.13.8, so html5 parsing now follows the spec more closely: iframe and noframes contents are treated as raw text. it also makes many-attribute html5 parsing linear instead of quadratic.
haystack 2.30.2 fixes agents exiting early on discarded tool calls
the python llm framework patches its agent loop so it no longer stops when the model emits an invalid tool call that gets discarded. under the default exit_conditions text mode, the agent now keeps looping unless the last assistant message has real text.
fastapi 0.137.2 adds iter_route_contexts() after the 0.137.0 routing refactor
the patch restores an introspection path for advanced users hit by 0.137.0, which stopped flattening router.routes into apiroute objects. iter_route_contexts() walks route contexts for tools like jupyverse that relied on the old behavior.