A significant supply chain attack on the npm ecosystem
#592 — September 9, 2025
A Major Supply Chain Attack Hits the npm Ecosystem — In July, Socket warned us about a phishing campaign targeting npm package publishers. Sadly, a prolific package author (among others, like DuckDB, who explain how the attack worked on them) fell victim to the scam, resulting in some popular packages becoming compromised (like Chalk, debug, and others).
Gooding, Brown, et al. (Socket)
💡 Inspired by the above story, Zbyszek Tenerowicz shows off an interesting tool / Webpack plugin (that he works on) called LavaMoat that can be used to sandbox / contain dependencies that are only made available by way of defined policies.
CodeRabbit’s Free AI Code Reviews in IDE – VS Code, Cursor, Windsurf — Code Rabbit brings AI code reviews to VS Code, Cursor & Windsurf. Get line-by-line reviews, one-click fixes & codebase-aware feedback – all free in your IDE. Seamlessly integrates with git workflows. Install the extension & start reviewing!
CodeRabbit sponsor
Bringing Node HTTP Servers to Cloudflare Workers — A few weeks ago we linked to an item that noticed Cloudflare Workers’ local dev tools had begun to support Express.js apps – now support has come to Workers proper, with support for node:http’s client and server APIs if you enable Node.js compatibility.
Nizipli and Snell (Cloudflare)
IN BRIEF:
Vercel now supports Express-based backends with zero configuration, and Vercel Functions running on Node now also support graceful shutdowns, giving you 500ms to run cleanup tasks before termination.
📗 NodeBook is a new, in-progress book promising a ‘deep dive’ into Node’s internals, and it already delivers a look inside the V8 JavaScript engine and how Node’s event loop works.
On X, Marco Ippolito laments that Node.js lives in a paradox of progressing both “too fast” and “too slow” for many developers.
Node.js v20.19.5 (LTS) Released — A quiet release dominated by bugfixes and a large number of dependency updates. It arrived quickly after v22.19.0 (LTS), which unflagged –experimental-wasm-modules, added server.keepAliveTimeoutBuffer to http, and added the ability for Node to use the system’s certificate authority (CA) via the NODE_USE_SYSTEM_CA environment variable.
Marco Ippolito
📄 Getting Accurate Text Lengths with Intl.Segmenter – A useful tip for when str.length isn’t returning what you’d quite expect.. Sangeeth Sudheer
📺 Handling 500 Million Clicks with a $4 VPS – A developer goes behind the scenes of his Node.js-backed site that went viral. Andrew Schmelyun
📄 Why I Ditched Docker for Podman (And You Should Too) Dominik Szymański
📄 UDP in Node.js: A Technical Guide Pavel Romanov
🛠 Code & Tools
Mediabunny: A Complete Media Toolkit for JavaScript — A library to read, write and convert popular media file formats (e.g. MP4, MP3, and more) without leaning on dependencies like FFmpeg. You can make thumbnails, extract metadata, write code that gets converted into a video, and more. GitHub repo.
Vanilagy
Rocketadmin: An Efficient and Secure No-Code Back Office Solution — Save time and make things easier for your users with a powerful, feature-rich admin panel. We support all main databases.
Rocketadmin sponsor
sqs-consumer 13.0: Build Amazon SQS-Based Apps Without Boilerplate — Build SQS-based (Simple Queue Service) apps without the boilerplate. Just define an async function to handle the SQS message processing. If it’s good enough for the BBC..
BBC
github-script 8.0: Script the GitHub API in Actions Workflows — If you want to write GitHub Actions that perform operations via the GitHub API using JavaScript, this is for you. Now supports Node.js 24.
GitHub Actions
serverless-http 4.0 – Use your existing middleware framework (e.g. Express, Koa) on AWS Lambda.
express-openapi-validator 5.6 – Auto-validate API requests and responses in Express against an OpenAPI 3.x spec.
Prisma 6.15 – The popular ORM for Node.js and TypeScript gains some ‘AI safety guardrails.’
Tinypool 2.0 – Minimal Node.js worker thread pool implementation.
Sidequest 1.7 – Scalable background job processor for Node apps.
MongoDB Node.js Driver 6.19 – The latest official MongoDB driver.
Electron 38.0 – The cross-platform desktop app framework.
express-rate-limit 8.1 – Basic rate limiting for Express apps.
Fastify 5.6 – The fast, low overhead Node web framework.
JSPyBridge 1.2.5 – Run Python from Node or vice versa.
NodeBB 4.5 – The Node.js-powered forum system.
📰 Classifieds
Master API design in Node with ▶️ this video course with Scott Moss. You’ll cover anatomy, middleware, error handling, auth, testing, deployment, and much more.
Go beyond caching. Redis 8.2 handles 5x more data with 150 new commands and 8 new data structures vs 7.2. Try Redis Pro—first $200 free.
📢 Elsewhere in the ecosystem
A roundup of some other interesting stories in the broader landscape:
Learn about why browsers throttle JavaScript timers with Nolan Lawson, and learn about some techniques to schedule functions to run ASAP.
Andromeda is the newest JavaScript runtime on the block, powered by the Nova engine. It’s built in Rust and boasts direct GPU accelerated graphics support, single file compilation, and memory safety.
🗓️ Thoughtbot shares a list of upcoming JavaScript conferences taking place over the remainder of 2025.
Intl Playground is a handy site to get a quick look at how the different options on Intl.DateTimeFormat present in real life.
Deno’s Fresh framework is now out in Fresh 2.0 Beta form. It can now optionally run as a Vite plugin which opens up numerous new possibilities.
TIL the MacBook Pro has a ‘lid angle sensor’ that can be programatically queried. A video on X shows off the feature with a comedic effect.
