WordPress 7.0, NPM Security, JavaScript - May 2026

Welcome to Hot Web Dev May 2026 featuring the latest in web development. This month we look at the new bumper update that is WordPress 7.0. We look at further attacks on package managers and how they are fighting back. Learning resources show you the hard parts of JavaScript and how to master them. The tool of the month is an animated freebie with no sign up required.

Table of contents:

1. WordPress 7.0 Released
2. Package Manager Security Updates
3. Learning Resources
4. WOW Tool Of The Month
5. Must-Read Resources From May 2026

WordPress 7.0 Released

WordPress 7.0 is out. The release titled “Armstrong” to honour jazz musician Louis Armstrong. It celebrates his impact on music and encouraging users to build with their own personal touch.

This release explore AI abilities, manage from a central hub, and utilise new blocks, design tools, and a developer toolbox.

If you want to upgrade it's recommended that your PHP environment is greater than 8.3. I would also make a backup as this version is a major update. Check that any plugins are compatible before installation.

Version 7.0 features a redesigned dashboard with a modern colour scheme and smooth transitions. The new Command Palette shortcut provides easy access to favourite tools. There is a new font management page that supports all themes.

The AI integration enables communication with generative AI models. It introduces new functionality and workflow automation, including image generation and content creation.

The AI Connectors Admin Screen

New WordPress blocks and design tools enhance the creation of websites, with improved visual control. User experience (UX) has enhanced responsive controls.

Customise menu overlays with blocks, patterns, columns, typography, and close buttons.

Quickly compare revision versions to spot changes and revert immediately.

WordPress 7.0 brings expanded APIs and improved functionality. This includes server-level block and pattern creation using PHP and a more flexible Site Editor with improved routing and validation.

This update is huge and brings more AI features to the WordPress platform. Do you like having the AI or do you think this is a step backward?

Source

WordPress Official Website

Package Manager Security Updates

Package managers have been under scrutiny for some time with NPM targeted often. Most recently an NPM attack led to the Python package manager attacked concurrently. Since supply chain attacks can compromise packages in your development environment, it’s a good idea to delay updates or switch to development containers to protect your files.

If you run PHP you will have heard of or most likely used Composer. On the 22nd May, 2026 an attack led to a supply chain attack on the laravel-lang package. The attack exploited version tags to point to commits from a fork of the same repository.

This leads to both composer and packagist to improve security in the 2.10 release. For now this includes malware detection, a transparency log for security events, and a unified dependency policy.

Additionally, they are working on implementing Multi-Factor Authentication (MFA) with stricter requirements. Adding a minimum-release-age option to delay installing compromised packages at the point of release.

NPM has introduced staged publishing which adds an approval step before packages go live on the npm registry. Any package requires approval from a maintainer with 2FA before becoming available to the public.

Learning Resources

Sumit Saha’s new freeCodeCamp YouTube course delves into JavaScript’s inner workings beyond syntax. The 4-hour learn how to think in code features the hard parts of JavaScript.  Covering scope, execution context, prototypes, event propagation and high-performance techniques.

In another video course the JavaScript Event Loop is explained. It demonstrates how the event loop manages asynchronous tasks while maintaining single-threaded execution.  The course delves into browser runtime components, the call stack, web APIs and the event loop’s crucial role in connecting queues to the stack.

WOW Tool of the Month

SVG Studio is a free, browser-based animation editor for creating keyframe animations with SVGs. It offers a timeline, keyframes, and a playhead for animating properties like position, rotation, scale, and opacity. Once exported the animations are self-contained SVGs with embedded CSS keyframes. They are compatible with any platform that supports CSS animations.

There is no blockchain or AI involved, no telemetry or sign-up required.

Must-Read Resources From May 2026

• What I Learned Implementing the Same Program in Seven Languages
• Talking to the new Ecosystem AI Security Engineer
• Speeding up the JavaScript ecosystem - oxlint and oxfmt
• Choosing CSS Selectors for Production: Specificity, Modern Pseudo-Classes, and Maintainable Styles
• GitHub Copilot Is changing how it bills you - Here's how to check the impact