Practice safe npx with Deno

Issue #454.January 14, 2026.2 Minute read.
Bytes

Big news: ui.dev is merging with Fireship to create fireship.dev 🔥.

Jeff and I have talked about teaming up for years now, and we’re excited to start making more content together across YouTube, newsletters, and courses.

Bytes isn’t changing. I’ll still be writing it, and it’ll still be the main place for me to work through my childhood trauma in meme form. The only difference now is that it will come from tyler@fireship.dev.

bytes.dev, react.gg, and query.gg will continue to live on their own landing pages, but the ui.dev brand has officially been sunset and folded into fireship.dev (I will remember you…)

If you’re a ui.dev course subscriber, you’ll get a separate email later today (or probably tomorrow at this point), but the TL;DR is you now get all the Fireship PRO content too, for the same price.

Really excited to show you what we’re working on and as always, thanks for reading ❤️

Today’s issue: Pretending to like Zig, pretending to have hobbies, and pretending to have strong opinions about garbage collection.

Welcome to #454.

Eyeballs logo

The Main Thing

Guy with sunface saying, it was revealed to me by the microplastics in my brain

When the intern asks me how I know this random npm package is safe

Practice safe npx with Deno

Like much of the npm ecosystem, npx has always felt a little sketchy from a security perspective. But at this point, most of us have gotten very good at ignoring that quiet voice in our head as we type new commands and hope for the best.

But Ryan Dahl & friends aren’t most developers. That’s why Deno 2.6 shipped with dx – a new way to run package binaries from npm and JSR without installing them globally.

Isn’t that just what npx does? Yes, but under the hood it’s safer and more opinionated. dx asks you before downloading packages, then prompts you again before running lifecycle scripts. And it keeps execution inside Deno’s permission system instead of blindly trusting arbitrary third-party code at runtime.

Everything else is the same as npx, but that small pause before execution is the point.

By design, dx only runs package binaries (not local files), which keeps it focused on the same use case as npx, instead of trying to become a generic escape hatch. It defaults to npm packages, but pairs naturally with Deno’s JSR registry too. And while it runs with full permissions by default, all of those permissions are explicitly surfaced instead of just assumed.

Bottom Line: dx is like when my wife asks me, “are you sure you want to do this,” every time I try to complete the 72-ounce Steak Challenge at The Big Texan Steak Ranch. She’s not really changing my workflow, but she’s giving me a chance to reconsider my choices.

Hopefully Deno developers will actually listen to dx though.

Puter.js logo

Our Friends
(With Benefits)

A wizard watching a crystal ball light up

Watching my users pay all my AI and cloud bills

Build apps without building infrastructure

Puter.js is a frontend-only JavaScript SDK that gives you everything you’d normally duct-tape together with five services, three dashboards, and a mild existential crisis.

  • The Everything SDK™ – Access 500+ AI models, cloud storage, databases, auth, networking, and more, all from a single JS SDK. Just import and ship. No more juggling vendors.

  • Actually serverless – Puter.js runs entirely in the frontend. There’s no backend, no API keys, and no account required. Npm install @heyputer/puter.js or use one of the starter templates to start building (see quickstart guide).

  • User-Pays scaling – Your users cover their own AI and cloud costs, so you as the developer don’t pay for anything.

Check it out for free – there’s no billing and it’s simple to set up.

Cool Bits logo

Cool Bits

  1. Cam Pederson took a ceramics class and wrote a cool article about how code is clay. We love to see a man with hobbies.

  2. Astro 6.0 beta just dropped yesterday with a redesigned dev server and more reasons to regret using RSC for your company’s landing page.

  3. AppSignal gives you full observability without complexity. Your team gets logs, metrics, and traces in one simple UI that’s easy to use. Try it for free. [sponsored]

  4. antirez warned against falling into the anti-AI hype, even if it’s fun to be a hater sometimes.

  5. Speaking of which, David Loker shared a report on how AI code creates 1.7x more problems. But there’s good news too.

  6. Aapo Alasuutari wrote a completely non-contrarian article about how garbage collection is contrarian.

  7. Only idiots write manual tests – modern engineering teams like Notion, Dropbox and LaunchDarkly use Meticulous to maintain e2e UI tests that cover every edge case of your web app. [sponsored]

  8. Dave Rupert concluded his four-part blog series on contrast-colour() with this playful focus rings explainer.

  9. Harrison Chase wrote a good post on why good observability is crucial to understanding code written by AI agents.

  10. Mike Cann made this video on how he spent 10 months making the best Christmas lights display & simulator using Convex. Now this is the kind of unhinged sponsored content I can respect, especially if Mike was able to expense all those lights. [sponsored]

  11. Addy Osmani gave his advice on navigating the next two years of software engineering as a developer. Tip #1: Work at Google from 2010-2025.

  12. Karl Sguin explained why the Lightpanda team migrated their DOM to Zig. But we all know the real reason is because they’re trying to become friends with Jarred and get acquired by Anthropic.