Ten top web application security threats

#​600 — November 11, 2025

Read on the Web

Node.js Security Best Practices — Did you know the Node.js project maintains a page about security best practices organized around how to mitigate ten of the most significant vectors? Topics include networking weaknesses, timing attacks, supply chain attacks, and the monkey patching of intrinsics.

Node Documentation

💡 On security, Liran Tal’s Awesome Node.js Security is always worth a revisit and includes numerous resources and a timeline of notable security incidents. OWASP has also just released an RC of its list of the top ten webapp security threats in 2025.

Agentic Postgres: AI-Ready Postgres for Go Developers — Tiger Data’s Agentic Postgres turns vanilla Postgres into an AI-native database. Fork DBs, give agents memory, and query via REST or CLI. Perfect for Go backends building with Claude, Cursor, or custom agents. Try it free—no card needed.

Tiger Data sponsor

pnpm 10.21: Safer Installs and Smarter Runtime Management — pnpm can now automatically install the Node version required by a dependency, declared in its engines.runtime field, meaning CLI apps and postinstall scripts will run with the specified version. A new trustPolicy setting also adds protection against supply-chain attacks by failing to install packages whose trust level drops (e.g. if a package’s build pipeline loses attestation).

Zoltan Kochan

IN BRIEF:

GitHub has updated its post about ongoing npm security changes. npm classic tokens can no longer be created, but existing ones will continue to work until February 2026 at the latest.

On Reddit’s /r/node, Jeet Shekhaliya shares his efforts to create a system to automatically test thousands of popular npm packages against the latest daily build of Node. You can see the latest report here.

Dr. Axel Rauschmayer noticed a pnpm feature we weren’t aware of before: the ability to install and manage different versions of Node.

Node.js 24 is now available on Azure App Service for Linux.

▶  The State of Node.js 2025 Explained by Matteo Collina — A thirty minute talk from JSNation earlier this year where TSC member Matteo presented an update on Node’s still-growing popularity, release schedule, security, recent performance enhancements, the permissions system, and more.

GitNation

📄 Error Chaining in JS: Cleaner Debugging with Error and cause Matt Smith

📄 Building NestJS Applications Following the CQRS Model Christian Nwamba

📄 Zod + TypeScript: Schema Validation Made Easy Hassan Djirdeh

🛠 Code & Tools

Umami 3.0: A Self-Hosted, Privacy-Focused Google Analytics Alternative — Think something like Plausible or Google Analytics, but built in Node and ready for you to host yourself. Here’s the full feature list. MIT licensed but also available as a paid hosted service.

Umami Software, Inc.

Unify Logs, Errors, and Traces in One Place — See logs, errors, and traces together in one place for full context. Debug faster with Sentry Logs.

Sentry sponsor

Tasuku (タスク): A Minimal Task Runner for Node — Tasuku, Japanese for ‘task’, provides a clean way to break up processes into small tasks, which can then be run in the right order with progress displayed elegantly in the terminal. Think make but Node-flavored. Live demo.

hiroki osame

🛑 fkill 10.0: A Cross-Platform Way to Kill Processes — Working on macOS, Linux, and Windows, this gives you a nice API for kill processes. For example: await fkill(‘chrome’, {waitForExit: 2000});

Sindre Sorhus

CSSOM: A CSS Parser Written in Pure JavaScript — Also a partial implementation of CSS Object Model.

Nikita Vasilyev

Render.js: A Raytracing Renderer with RenderMan Format Support — Created at Pixar in the 80s, the RenderMan Interface Specification was an early API for building 3D scenes. Anders has been building a Node-based, 90s-style renderer for the format “as a stroll down amnesia lane” in pure JavaScript.

Anders Brownworth

MongoDB Node.js Driver 7.0 – The latest official MongoDB driver. I love how thorough MongoDB’s release notes always are for these!

pg-promise v12.3 – Extended Postgres driver for Node with automatic connections and transactions, query generation, and more.

file-type 21.1 – Detect the file type of a file, stream, or data. Now also supporting .tar.gz files and Windows registry files.

pg-boss 12.0 – Postgres-based job queuing system for Node. Has migrated to ESM, so existing users have some changes to make.

🤖 Repomix 1.9 – Pack an entire repository into a single, LLM-friendly file.

Fastify 5.6.2 – The fast, low overhead Node web framework.

Prisma 6.19 – Popular ORM for Node.js and TypeScript.

node-mssql 12.1 – Microsoft SQL Server client library.

📰 Classifieds

🐱 ConfigCat Feature Flag Service lets you release and roll back features safely without code changes. Set it up in minutes! Save 25% now!

Add e-signatures to your Node.js app in minutes with the BoldSign Node.js SDK—powered by our e-signature API. Get your free API key today.

📢  Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape:

🇯🇵 Fancy writing JavaScript in Japanese (above)? Say こんにちは to KokoScript.

On the topic of Japan, if you know a company in Japan that would benefit from having one of JavaScript’s best-known names as an employee, Dan Abramov is looking for a job in Japan right now.

I enjoyed Lea Verou’s cute proxy-based trick for creating JavaScript symbols on demand.

GitHub did a quick interview with TypeScript co-creator Anders Hejsberg about the rise of TypeScript (now the #1 language on GitHub) and its role in a more AI-oriented world.

Ben Visness writes about how Mozilla has overhauled its internal tools for visualizing JavaScript and WebAssembly compilation, complete with interactive graphs.

If you need to embed JavaScript into places Node doesn’t yet go, Hako is an interesting WebAssembly-oriented option.