A new guide to configuring Node packages

#​607 — January 15, 2026

Read on the Web

⚠️ The Node.js January 13, 2026 Security Releases — Originally expected in December, these releases (of Node.js 25.3.0, 24.13.0, 22.22.0, and 20.20.0) finally landed this week, largely due to their complexity and the scope of the vulnerabilities they tackle. More on that in the next item!

The Node.js Project

Mitigating a DoS Vulnerability Related to async_hooks — A deep dive into one of the five vulnerabilities tackled by the releases above where apps using async_hooks or AsyncLocalStorage (e.g. React, Next.js, and those using APM tooling) can be forced to exit without throwing a catchable error when recursions in user code exhaust the stack space. Node has mitigated some of the problem, but library and framework creators also have work to do around this issue.

Matteo Collina and Joyee Cheung

💡 Sarah Gooding has a higher level write-up of the issue on the Socket blog.

Clerk Launches API Keys Public Beta — Let your users create API keys that delegate access on their behalf. Verify keys server-side with the auth() helper, control access with scopes, and revoke instantly. Free during beta.

Clerk sponsor

The Official Node.js Package Configuration Guide — It’s still under development, but the Node team has begun to share an official guide to putting together and configuring your own packages for Node, whether for the first time or if you’re migrating an existing package to ESM and modern best practices.

The Node.js Project

IN BRIEF:

Node Congress is an online JavaScript event taking place this March 26-27.

Vercel Sandbox for Node.js now uses Node.js 24 by default.

Stop Turning Everything Into Arrays (and Do Less Work Instead) — A post showing off iterator helpers, a broadly supported set of methods for working with Iterator objects as a more efficient way of processing data lazily in an iterative (rather than randomly accessed) fashion.

Matt Smith

Node.js Becomes a First-Class Citizen in Microsoft Aspire — Aspire is a Microsoft framework for orchestrating the development and deployment of distributed applications. Originally just targeting .NET, the new Aspire 13 makes JavaScript a first-class citizen, so you can now run Vite, Node.js, and full-stack JS apps with service discovery, built-in telemetry, and production-ready containers.

Microsoft

Scale Time-Series Data Without Leaving Postgres — Full PostgreSQL + hypertables, compression, continuous aggregates. Get real-time analytics without the complexity.

Tiger Data (creators of TimescaleDB) sponsor

📄 Choosing the Right Node.js Job Queue – Spoiler: “BullMQ is right most of the time.” Jeff Morhous

📄 JavaScript’s for-of Loops Are Actually Fast Suren Enfiajyan

📄 How to Learn to Build Apps in 2026 Eric Elliott

🛠 Code & Tools

Better SQLite3 12.6: Fast and Simple SQLite3 Library — With node-sqlite3 now unmaintained, Better SQLite is perhaps the best way to work with SQLite from Node. v12.6 upgrades to SQLite 3.51.2. It has good docs too.

Joshua Wise

📄  tinypdf: Minimal PDF Creation Library — And they really do mean minimal: under 400 lines of code, with no dependencies. It doesn’t support images, custom fonts, encryption, etc. but if you want to get basic shapes and text into a PDF (to generate invoices, say), this is a tidy option.

Lulzx

Ohm: A Parsing Toolkit for JavaScript and TypeScript — A powerful library for building PEG-based parsers you can use in interpreters, compilers, analysis tools, etc. and you can even play with its grammar online.

Warth, Dubroy, et al.

memlab 2.0: A Framework for Finding JavaScript Memory Leaks — A framework for identifying memory leaks and optimization opportunities that originated from Facebook’s approach to optimizing its main app. Write scenarios, and memlab compares heap snapshots, filters leaks, and aggregates the results.

Facebook Open Source

pnpm 10.28 – Adds a beforePacking hook to customize package.json’s contents at publish time. A neat way to modify the package manifest included in the published package without affecting your local package.json.

actions/setup-node 6.2 – Set up a GitHub Actions workflow with a specific version of Node.js.

LogTape 2.0 – Simple logging library for all major JS runtimes. Changelog.

🤖 OpenAI Node 6.16 – The official Node library for OpenAI’s APIs.

exiftool-vendored.js v35 – Process metadata from photos.

NodeBB 4.8 – Node.js-powered forum system.

📰 Classifieds

🚀 Auth0 for AI Agents is the complete auth solution for building AI agents more securely. Start building today.

📢  Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape:

A year ago, developer Dimitri Mitropoulos got Doom to run inside TypeScript’s type system. Now, he’s joined Dillon Mulroy (above) ▶️ to walk through the entirety of how it works (in a mere six hours!)

📘 The Concise TypeScript Book is a short, focused TypeScript guide that’s open and free to read.

A tiny update to the Deno-vs-Oracle trademark dispute with Oracle requesting, and Deno agreeing to, a 60-day extension. The case is set to drag into 2027.

🎉 jQuery turned twenty years old yesterday!