Guess who’s back, back again? Shai-Hulud.

Posted by
0

#​602 — November 25, 2025

Read on the Web

How a Summer in Abruzzo Helped Bring Type Stripping to Node.js — Node.js TSC member and committer Marco tells the personal tale of what it took to bring type stripping (now considered stable) to Node. It’s neat to get the back story. He’s now working on a new experimental feature: –experimental-config-file

Marco Ippolito

Tiger Data Taught AI to Write Real Postgres Code. Try it Today. — Tiger Data taught AI how to write idiomatic Postgres and open-sourced it. pg-aiguide brings real DB expertise to Claude Code, or any other MCP-enabled tool.

Tiger Data sponsor

⚠️ Shai Hulud 2.0: The Widespread npm Supply Chain Attack is Back — The big story this week is an evolution of a previous story we’ve covered about a ‘worm’ that spreads through npm packages. GitLab does a good job of explaining what’s going on: an infected package gets installed then executes a malicious payload which exfiltrates GitHub, npm, and other credentials, then infects and publishes yet more packages.

Abeles and Henriksen (GitLab)

💡 Numerous sources have written about this latest wave of attacks including Wiz, Snyk, Socket, Aikido and HelixGuard. Corridor’s Shai Hulud 2.0 Detector can also be used to scan a package.json file for known affected packages.

IN BRIEF:

Node.js v20.19.6 (LTS) has been released. It’s a minor LTS release with updates to root certificates and OpenSSL, plus the deprecation of HTTP/2 priority signalling (as is the case in RFC 9113 also).

Node.js 24 is now a supported runtime on AWS Lambda (as nodejs24.x) and won’t be deprecated until April 30, 2028.

🎤 TypeScript’s Daniel Rosenwasser and Jake Bailey went on the TypeScript.fm podcast to talk about what’s coming up in TypeScript 6 and 7.

▶️ A brief look behind the scenes of Node.js’s automated release process.

📄 An Experiment in Making TypeScript Immutable-by-Default“I wondered: is it possible to make TypeScript values immutable by default?” Evan Hahn

📄 A Comprehensive Guide to Error Handling in Node Ayooluwa Isaiah (Honeybadger)

🛠 Code & Tools

Gluegun: A Toolkit for Building Node-Powered CLIs — For building CLI apps with many features available ‘out of the box’, including templating, sub-command support, colorful output, argument parsing, etc.

Infinite Red, Inc.

tshy 3.1: TypeScript HYbridizer — A tool by Isaac Z. Schlueter for building hybrid modules that Just Work™ in both ESM and CommonJS contexts, if you’re not quite ready to go ESM only.

Isaac Z. Schlueter

BoldSign eSignature API & SDK — Built for Developers, Easy to Integrate — ✍️ Ship secure e-signatures in your app in minutes with the BoldSign SDK & API. Get your free API key and start testing today.

BoldSign sponsor

(*.js) Glob 13: Match Files Using Shell-Style Patterns“The most correct and second fastest glob implementation in JavaScript.”

Isaac Z. Schlueter

is-online 12.0: Check if the Internet Connection Is Up — Works in both Node and the browser and uses several approaches to check if the Internet is really available.

Sindre Sorhus

open v11.0: Open URLs, Files, Executables, etc. Cross-Platform — Designed for use in command line tools and scripts, open acts similarly to macOS’s terminal namesake: open

Sindre Sorhus

jsonld.js v9.0: A JSON-LD Processor and API ImplementationJSON-LD (JSON for Linking Data) is a JSON-based format used to represent objects on the Web in a way that’s easy for code to read.

Digital Bazaar, Inc.

Prisma 7.0 – Popular ORM for Node.js and TypeScript. The Rust-free Prisma Client is now the default.

Mongoose 9.0 – Popular MongoDB object modeling library.

🖼️ exiftool-vendored.js v33.4 – Fast, cross-platform Node.js access to ExifTool for extracting metadata from photos.

🔎 Node File Trace (NFT) 1.1 – A tool from Vercel for determining exactly which files are necessary for an app to run.

Link Preview JS 4.0 – Extract Web link information from a URL using OpenGraph tags.

node-redis 5.10 – The Redis/Valkey client library adds support for some new commands.

cron-schedule 6.0 – Zero-dependency cron parser and scheduler.

Wasp 0.19Wasp is a Rails-like framework built on Node, React & Prisma.

pnpm 10.23 – Fast, space efficient package manager.

📢  Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape:

Photo used with the kind permission of Rob Palmer

Ecma’s TC39 committee met up last week (above) and progressed numerous proposals including Iterator Sequencing, Await dictionary of Promises, Joint Iteration, Iterator Join, and Typed Array Find Within.

Google unveiled Angular v21 last week, the latest version of its popular JavaScript framework. I enjoyed the nifty retro gaming themed tour of its new features.

Devographics’ annual State of React survey is now open to take again if you’re a React developer.

📗 WebAssembly from the Ground Up is a new (paid) book that walks you through building a compiler in JavaScript. There’s a sample PDF showing off thirty pages of the content – it looks very promising.

🧟 This news would have been funnier on October 31, but AWS has resurrected CodeCommit from the dead. CodeCommit was is AWS’s private Git repo hosting platform and it’s generally available again.

Categories: Javascript

Related Posts

  • #​764 — December 5, 2025 Read on the Web JavaScript Weekly 🎉  JavaScript Turns 30 Years Old  🎉 Back in May 1995, a 33 year old Brendan Eich built the first prototype of JavaScript in just ten days, originally codenamed Mocha (and then LiveScript). On December 4, 1995, Netscape and Sun Microsystems officially announced ‘JavaScript’ in a

    Posted by
    0

  • #​603 — December 2, 2025 Read on the Web Tinybench 6.0: A Tiny, Simple Benchmarking Library — Uses whatever precise timing capabilities are available (e.g. process.hrtime or performance.now). You can then benchmark whatever functions you want, specify how long or how many times to benchmark for, and get a variety of stats in return –

    Posted by
    0

  • #​763 — November 28, 2025 Read on the Web JavaScript Weekly Over 150 Algorithms and Data Structures Demonstrated in JS — Examples of many common algorithms (e.g. bit manipulation, Pascal’s triangle, Hamming distance) and data structures (e.g. linked lists, tries, graphs) with explanations. Available in eighteen other written languages too. Oleksii Trekhleb et al. TypeScript: From

    Posted by
    0

  • #​762 — November 21, 2025 Read on the Web JavaScript Weekly Google Announces Angular v21 — The Google team has gone all out with this significant release of its popular JavaScript framework. They’ve put together a retro game-themed adventure-based tour of what’s new, along with top notch videos showing off features like its new signal-based

    Posted by
    0

  • #​601 — November 18, 2025 Read on the Web Node.js v25.2.1 (Current) Released (and 25.2.0 with Type Stripping Marked ‘Stable’) — v25.2.0 was released hours after we hit send last week (often the way!) and marked type stripping as stable, meaning all major server-side runtimes now support TypeScript officially (at least in type-stripping form). v25.2.1,

    Posted by
    0

  • #​761 — November 14, 2025 Read on the Web JavaScript Weekly JavaScript Engines Zoo: Learn About Over 100 JS Engines — I’m a sucker for a big table of data and this is about as big as it gets when it comes to JavaScript engines. See how various engines compare, sort them by performance, or

    Posted by
    0

Leave a Reply

Your email address will not be published. Required fields are marked *

Generated by Feedzy