Janis Jansen 🌳
@janis.me
Building the future of Music @ElevenLabs (and open source CSS tools @janis.me). Previously fluid simulations @dive.
Check out surimi.dev if you like CSS and typescript.
🔗 janis.me
🖥️ github.com/janis-me
📽️ youtube.com/@janis-me
Check out surimi.dev if you like CSS and typescript.
🔗 janis.me
🖥️ github.com/janis-me
📽️ youtube.com/@janis-me
Pinned
Janis Jansen 🌳
@janis.me
· Oct 15
The first version of the 🍣 surimi playground is live!
It runs the @rolldown.rs based compiler in a WebContainer, and updates the editor instantly!
Check it out! surimi.dev/playground
Compile times are bit slower than locally tho.
Also
- has type-hint support
- you can install new packages
- ...
It runs the @rolldown.rs based compiler in a WebContainer, and updates the editor instantly!
Check it out! surimi.dev/playground
Compile times are bit slower than locally tho.
Also
- has type-hint support
- you can install new packages
- ...
We nominated some open source maintainers and tools to receive funding from the OSS Engineers Fund and will donate $22k to the projects we rely on at ElevenLabs! Some of these are my favorite tools I use daily that I think really deserve support like PostCSS, Graphite, ProseMirror and more.
December 15, 2025 at 7:36 PM
We nominated some open source maintainers and tools to receive funding from the OSS Engineers Fund and will donate $22k to the projects we rely on at ElevenLabs! Some of these are my favorite tools I use daily that I think really deserve support like PostCSS, Graphite, ProseMirror and more.
Reposted by Janis Jansen 🌳
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Beware, a linkedin-type post...
I'm super excited to share that I've joined ElevenLabs to work on the creative platform and music as a full-stack dev!
Music and next-gen software have been a passion for literally my entire adult life. Now I can combine them in the best way!
I'm super excited to share that I've joined ElevenLabs to work on the creative platform and music as a full-stack dev!
Music and next-gen software have been a passion for literally my entire adult life. Now I can combine them in the best way!
December 2, 2025 at 8:29 PM
Beware, a linkedin-type post...
I'm super excited to share that I've joined ElevenLabs to work on the creative platform and music as a full-stack dev!
Music and next-gen software have been a passion for literally my entire adult life. Now I can combine them in the best way!
I'm super excited to share that I've joined ElevenLabs to work on the creative platform and music as a full-stack dev!
Music and next-gen software have been a passion for literally my entire adult life. Now I can combine them in the best way!
Hell yes. Tom Lehrer on WMBR radio rn. Collage radio is the best.
November 27, 2025 at 9:58 AM
Hell yes. Tom Lehrer on WMBR radio rn. Collage radio is the best.
Unified Linux and Mac nix config ✅
Got rid of NixGL ✅
Will stop changing my config now that it works ❌
Got rid of NixGL ✅
Will stop changing my config now that it works ❌
November 25, 2025 at 6:01 AM
Unified Linux and Mac nix config ✅
Got rid of NixGL ✅
Will stop changing my config now that it works ❌
Got rid of NixGL ✅
Will stop changing my config now that it works ❌
The component library I want is SUPER opinionated but also mostly unstyled.
I want it to force me to do things right, like force tooltips on some components but BAN them on others.
I want it to force me to use its built-in data-attributes for styling, but also allow me to use any styling tools.
I want it to force me to do things right, like force tooltips on some components but BAN them on others.
I want it to force me to use its built-in data-attributes for styling, but also allow me to use any styling tools.
November 23, 2025 at 8:51 PM
The component library I want is SUPER opinionated but also mostly unstyled.
I want it to force me to do things right, like force tooltips on some components but BAN them on others.
I want it to force me to use its built-in data-attributes for styling, but also allow me to use any styling tools.
I want it to force me to do things right, like force tooltips on some components but BAN them on others.
I want it to force me to use its built-in data-attributes for styling, but also allow me to use any styling tools.
@uni-muenster.de I just got a spam email claiming to be PayPal (with a copycat PayPal design) from your email [email protected].
Either you were hacked or you have a very nasty student.
Either you were hacked or you have a very nasty student.
November 23, 2025 at 8:57 AM
@uni-muenster.de I just got a spam email claiming to be PayPal (with a copycat PayPal design) from your email [email protected].
Either you were hacked or you have a very nasty student.
Either you were hacked or you have a very nasty student.
Are y'all using node 'subpath imports' yet? I've been using them for a couple of months and apart for some minor inconveniences they are working super well! I never thought about going back to typescript path aliases.
If you're not, maybe you should!
If you're not, maybe you should!
November 13, 2025 at 9:52 AM
Are y'all using node 'subpath imports' yet? I've been using them for a couple of months and apart for some minor inconveniences they are working super well! I never thought about going back to typescript path aliases.
If you're not, maybe you should!
If you're not, maybe you should!
Dying wish is the best hardcore band. You'll not change my mind.
November 6, 2025 at 10:24 AM
Dying wish is the best hardcore band. You'll not change my mind.
You can't stop me from playing Metroid Fusion on a GBA emulator on my modded Wii.
I do own a computer and I do own several other consoles. But this is the way you are supposed to play GBA games.
I do own a computer and I do own several other consoles. But this is the way you are supposed to play GBA games.
November 4, 2025 at 4:14 PM
You can't stop me from playing Metroid Fusion on a GBA emulator on my modded Wii.
I do own a computer and I do own several other consoles. But this is the way you are supposed to play GBA games.
I do own a computer and I do own several other consoles. But this is the way you are supposed to play GBA games.
In Firefox, if you could filter network requests based on path/file.. you could negate the filter and exclude all requests from the vite dev server.
I think that's something we need. Vite module requests always spam the network panel.
I think that's something we need. Vite module requests always spam the network panel.
October 28, 2025 at 6:32 AM
In Firefox, if you could filter network requests based on path/file.. you could negate the filter and exclude all requests from the vite dev server.
I think that's something we need. Vite module requests always spam the network panel.
I think that's something we need. Vite module requests always spam the network panel.
We're getting there! Was a very productive week.
October 23, 2025 at 8:14 PM
We're getting there! Was a very productive week.
Let an LLM write some code. Then write like 100 tests but still don't trust the code.
- coding in 2025
- coding in 2025
October 23, 2025 at 11:22 AM
Let an LLM write some code. Then write like 100 tests but still don't trust the code.
- coding in 2025
- coding in 2025
I'm learning so much more about CSS by building surimi (because I am forced to read the CSS specification).
For example, just wrote some types to figure out all possible @media query descriptors you can use.
It's 40 in total
For example, just wrote some types to figure out all possible @media query descriptors you can use.
It's 40 in total
October 19, 2025 at 12:55 PM
I'm learning so much more about CSS by building surimi (because I am forced to read the CSS specification).
For example, just wrote some types to figure out all possible @media query descriptors you can use.
It's 40 in total
For example, just wrote some types to figure out all possible @media query descriptors you can use.
It's 40 in total
I'm in a deep `extends...infer` typescript hole again. And it's just awesome. Getting a lot done today!
October 17, 2025 at 8:46 PM
I'm in a deep `extends...infer` typescript hole again. And it's just awesome. Getting a lot done today!
Wow! Very pleasantly surprised when visiting @inwx.de website today - they've got a shiny new website!
Buuut domain search doesn't work :(
Buuut domain search doesn't work :(
October 17, 2025 at 4:14 AM
Wow! Very pleasantly surprised when visiting @inwx.de website today - they've got a shiny new website!
Buuut domain search doesn't work :(
Buuut domain search doesn't work :(
Reposted by Janis Jansen 🌳
Heard people say all JS package managers work the same (so they stick with the abandoned npm).
They don’t: npm can be up to 2x slower than pnpm.
And the gap in DX and security is even bigger.
yarnpkg.com/benchmarks
They don’t: npm can be up to 2x slower than pnpm.
And the gap in DX and security is even bigger.
yarnpkg.com/benchmarks
October 16, 2025 at 9:01 AM
Heard people say all JS package managers work the same (so they stick with the abandoned npm).
They don’t: npm can be up to 2x slower than pnpm.
And the gap in DX and security is even bigger.
yarnpkg.com/benchmarks
They don’t: npm can be up to 2x slower than pnpm.
And the gap in DX and security is even bigger.
yarnpkg.com/benchmarks
The first version of the 🍣 surimi playground is live!
It runs the @rolldown.rs based compiler in a WebContainer, and updates the editor instantly!
Check it out! surimi.dev/playground
Compile times are bit slower than locally tho.
Also
- has type-hint support
- you can install new packages
- ...
It runs the @rolldown.rs based compiler in a WebContainer, and updates the editor instantly!
Check it out! surimi.dev/playground
Compile times are bit slower than locally tho.
Also
- has type-hint support
- you can install new packages
- ...
October 15, 2025 at 10:39 AM
The first version of the 🍣 surimi playground is live!
It runs the @rolldown.rs based compiler in a WebContainer, and updates the editor instantly!
Check it out! surimi.dev/playground
Compile times are bit slower than locally tho.
Also
- has type-hint support
- you can install new packages
- ...
It runs the @rolldown.rs based compiler in a WebContainer, and updates the editor instantly!
Check it out! surimi.dev/playground
Compile times are bit slower than locally tho.
Also
- has type-hint support
- you can install new packages
- ...
Okay downloading Firefox beta for Android now because I CAN'T WAIT FOR VIEW TRANSITIONS let's goooo
October 14, 2025 at 8:08 PM
Okay downloading Firefox beta for Android now because I CAN'T WAIT FOR VIEW TRANSITIONS let's goooo
Is there anyone who knows how to hook up a @stackblitz.com Webcontainer instance to a Monaco editor? I'm talking typescript type resolution, getting JSDoc comments from node_modules etc.
I can get it to work by including typescript and @typescript/vfs in the build but.. that seems overkill?
I can get it to work by including typescript and @typescript/vfs in the build but.. that seems overkill?
October 13, 2025 at 4:51 PM
Is there anyone who knows how to hook up a @stackblitz.com Webcontainer instance to a Monaco editor? I'm talking typescript type resolution, getting JSDoc comments from node_modules etc.
I can get it to work by including typescript and @typescript/vfs in the build but.. that seems overkill?
I can get it to work by including typescript and @typescript/vfs in the build but.. that seems overkill?
Ai is secure, intelligent and will replace us.
October 13, 2025 at 4:46 PM
Ai is secure, intelligent and will replace us.
I have to say: If I trust anyone to make this move into a commercial direction it's the people behind vite, vitest, rolldown etc.
A few people are absolutely carrying WebDev tooling through the last couple of years mostly for free... So if they now want to get SOME money from FFANG etc that's good
A few people are absolutely carrying WebDev tooling through the last couple of years mostly for free... So if they now want to get SOME money from FFANG etc that's good
Just talked about Vite+ at @viteconf.org - check out more at viteplus.dev :)
More detailed announcement on Monday!
More detailed announcement on Monday!
Vite+
The Unified Toolchain for the Web
viteplus.dev
October 10, 2025 at 5:11 PM
I have to say: If I trust anyone to make this move into a commercial direction it's the people behind vite, vitest, rolldown etc.
A few people are absolutely carrying WebDev tooling through the last couple of years mostly for free... So if they now want to get SOME money from FFANG etc that's good
A few people are absolutely carrying WebDev tooling through the last couple of years mostly for free... So if they now want to get SOME money from FFANG etc that's good
Hell yeah! Kevin on @piccalil.li. A must read!
Are you the type of dev who just copies and pastes hex codes?
If so, I've written an article over at @piccalil.li just for you!
I take a look at some of the new CSS colour features that are most useful for those who don't really care about colours.
piccalil.li/blog/a-pragm...
If so, I've written an article over at @piccalil.li just for you!
I take a look at some of the new CSS colour features that are most useful for those who don't really care about colours.
piccalil.li/blog/a-pragm...
A pragmatic guide to modern CSS colours - part one
Whether you've got a firm grasp on modern CSS colour capabilities, or you're thinking 'I struggle to understand why I should use modern CSS colours at all', then the first part of this article series,...
piccalil.li
October 7, 2025 at 6:08 PM
Hell yeah! Kevin on @piccalil.li. A must read!
The EU (and Germany) want to ban End-to-end encryption in Whatsapp etc. But we may be able to stop them.
This would end secure communication. Absolutely bonkers. Sign the petition and let them know it can't happen
weact.campact.de/petitions/ch...
This would end secure communication. Absolutely bonkers. Sign the petition and let them know it can't happen
weact.campact.de/petitions/ch...
Chatkontrolle stoppen!
Die EU-Kommission will Messenger-Dienste wie WhatsApp und Signal zwingen, alle privaten Nachrichten und Fotos in Echtzeit zu scannen. Angeblich zum Kinderschutz. In Wahrheit bedeutet die Chatkontrolle...
weact.campact.de
October 7, 2025 at 12:27 PM
The EU (and Germany) want to ban End-to-end encryption in Whatsapp etc. But we may be able to stop them.
This would end secure communication. Absolutely bonkers. Sign the petition and let them know it can't happen
weact.campact.de/petitions/ch...
This would end secure communication. Absolutely bonkers. Sign the petition and let them know it can't happen
weact.campact.de/petitions/ch...
I got the "paru.dev" domain. Thought it sounded nice. Let's see if I ever use it.
There is the paru package manager already. Maybe I'll give it to them if they need it.
There is the paru package manager already. Maybe I'll give it to them if they need it.
October 5, 2025 at 7:29 PM
I got the "paru.dev" domain. Thought it sounded nice. Let's see if I ever use it.
There is the paru package manager already. Maybe I'll give it to them if they need it.
There is the paru package manager already. Maybe I'll give it to them if they need it.