Today’s issue: Dario drinks goat blood, Turborepo almost invents time travel, and supply chain attackers pretend to be your girlfriend.

Welcome to #476.

---

Cloudflare built its own WordPress

On April 1st, Cloudflare released an open-source TypeScript CMS that they called the spiritual successor to WordPress. Then they spent the next 24 hours trying to convince everyone that it wasn’t an April Fools joke.

They named the project EmDash. And that’s actually a very fitting name because, like their recent Next.js fork, this project was built by AI agents over a couple of months with the occasional human nudge from Matt Kane and Matt “TK” Taylor.

And what single punctuation mark has become most synonymous with AI slop writing in the past 3 years? The em dash. I’m not sure if this means the Cloudflare team is refreshingly self-aware or not at all self-aware, but I’ll leave that up to you.

Matt & Matt say they built EmDash to solve “the WordPress plugin security crisis” and provide a more modern CMS, while WordPress co-founder Matt Mullenweg says it was created to sell more Cloudflare services. And they both might be right. Here’s what’s actually different about it:

• Built on Astro — EmDash is powered by Astro, the content-focused web framework Cloudflare acquired back in January. It stores content as structured JSON instead of HTML and is serverless by default. It’s definitely a more modern take on WordPress, but it also definitely is meant to sell more Cloudflare services.

• Sandboxed plugins — WordPress plugins have full access to your database and filesystem, which is why 96% of its security vulnerabilities come from them. EmDash instead runs each plugin in its own V8 sandbox with declared permissions, like OAuth scopes for plugins. The catch is that this only fully works on Cloudflare’s runtime, which Mullenweg pointed out immediately.

• AI-native from the start — Built-in MCP server, Agent Skills for autonomous site management, and x402 micropayments so AI bots can pay for content access. Mullenweg called the Skills strategy “brilliant” and said WordPress needs to copy it immediately.

Bottom Line: As someone who built my entire newsletter-writing career with an overreliance on em dashes, I’ll never forgive the clankers for what they took from me.

---

Technical deep dive: What is the AI Agent Loop?

There’s only one difference between a chatbot and an AI agent: the agent loop.

It’s what allows agents to perceive, reason, call tools, and loop until a job is finished.

Casius Lee wrote a great deep dive that explains the core architecture behind it, how it works, and the code you need to get started.

It covers:

• How the agent loop actually works in code

• The two things that kill agents in production: low observability and runaway token costs (up to 15x more token usage than chat)

• When not to use an agent loop

If you’re building anything agentic right now, the blog post provides a very helpful mental model. Read it here.

---

function todoReducer(state, action) {
  switch (action.type) {
    case 'ADD_TODO':
      const todos = state.todos
      return { 
        ...state, todos: 
        todos.concat(action.payload) 
      }
    case 'REMOVE_TODO':
      const todos = state.todos
      const newTodos = todos.filter(
        (todo) => todo.id !== action.id
      )
      return { ...state, todos: newTodos }
    default:
      return state
  }
}

---

1. Bram Cohen wrote about how the cult of vibe coding has gone too far. But personally, I think people are overreacting to that photo of Sama and Dario dripping in goat’s blood.

2. Babylon.js 9.0 is the “biggest and most feature rich update yet” for Microsoft’s open game and rendering engine.

3. Stop babysitting your coding agents. Unblocked gives them the organizational knowledge to generate mergeable code without the back and forth. It pulls context from your stack, resolves conflicts, and cuts the rework cycle by delivering only what agents need for the task at hand. [sponsored]

4. Our very own Lynn Fisher shared a neat way to remember link and image markdown syntax. Turns out, I’ve been misusing Roy G Biv this whole time.

5. Turborepo 2.9 is now 96% faster. Just 4% more to go until you’re actually moving backwards in time every time your app loads.

6. Flox is a cross-platform package and environment manager that lets you flox activate your way into a fully reproducible dev setup, without containers or system pollution. You get the right Node, right Python, and right Postgres - and your teammates get the exact same environment with one command. [sponsored]

7. Dani Akash wrote about an underrated supply chain defense.

8. Patrick Meenan made the case for why we should ship jQuery and React with the browser. I agree, and think that every new Gmail account should also come pre-subscribed to the world’s most preeminent JavaScript newsletter.

9. Railway lets you deploy any app in a few clicks (or prompts). Just connect your repo, and it reads your code to automatically set up the right config for your project – or let your agents handle it using the Railway CLI. [sponsored]

10. GitHub introduced Rubber Duck to the Copilot CLI. It’s an experimental feature that uses a different AI family to give you a second opinion on your coding agent’s recommendations. A great way to use double the tokens and half the brain cells.

11. The Fig team wrote about how their 5-person engineering team uses the Expo SDK to scale their dietary restrictions app to millions of users.

12. The Axios team shared a post mortem on the recent supply chain attack, including how social engineering was used to compromise a maintainer’s credentials. A good reminder that sexi lady bots on Twitter aren’t your real friends, no matter how well-informed they seem on geopolitical matters.

---

The todos variable is being re-declared within the same block. Variables declared with const and let are block-scoped, meaning they don’t exist outside of the block they were called in. Blocks are created with {} brackets around if/else statements, loops, and functions.

There are many solutions, including changing the variable name in the different cases or removing the variable altogether. We can also wrap each of our cases in a block to isolate the variables.

function todoReducer(state, action) {
  switch (action.type) {
    case 'ADD_TODO': {
      const todos = state.todos
      return { 
        ...state, todos: 
        todos.concat(action.payload) 
      }
    }
    case 'REMOVE_TODO': {
      const todos = state.todos
      const newTodos = todos.filter(
        (todo) => todo.id !== action.id
      )
      return { ...state, todos: newTodos }
    }
    default:
      return state
  }
}