How the Seattle Times is using pnpm
#604 — December 9, 2025
🗓️ A quick notice that Node Weekly will be moving to Thursdays in January 2026, as part of a schedule reshuffle for most of our newsletters. We still have one more week before the Christmas break, though, so we’ll be back next Tuesday with our 2025 roundup!
__
Your editor, Peter Cooper
How We’re Protecting Our Newsroom from npm Supply Chain Attacks — A software engineer at the Seattle Times explains how the paper has been trialing pnpm as an alternative to npm specifically because of its client-side security controls. This isn’t a formal case study but breaks down the technical details well and could give your own team food for thought.
Ryan Sobol
⚠️ Node.js December 15, 2025 Security Releases — New releases of Node’s v25.x, 24.x, 22.x, and 20.x release lines are expected next Monday, or shortly thereafter, to address five security vulnerabilities (three with ‘high’ severity). We’ll share an update in next Tuesday’s issue.
The Node.js Project
Level Up Redis Visibility in Node.js — See inside Valkey and OSS Redis. Memetria K/V adds key-level visibility, memory analytics, and performance insights built for Node.js developers — so you can detect large keys and optimize latency before users notice.
Memetria sponsor
No More Tokens: Locking Down npm Publishing Workflows — Following the recent spate of high-profile npm security incidents, Zach, author of 11ty, decided to carry out a full audit of his npm security footprint and shares some tips any package publisher can adopt.
Zach Leatherman
Progress on TypeScript 7 — v6.0 is going to be TypeScript’s last JavaScript-based release and will act as a stepping stone to the native Go port that will be the eventual v7.0 which is already shaping up to be some 10x faster.
Daniel Rosenwasser (Microsoft)
How We Made @platformatic/kafka 223% Faster — Platformatic’s Kafka client was created last year as the existing options at the time had various compatibility and performance issues, but Platformatic wanted even more performance.. Here’s how they did the benchmarking and identified, then solved, some bottlenecks.
Paolo Insogna (Platformatic)
📄 Replacing glob-all with fs.promises.glob in Node SiteLint
📄 The Nuances of JavaScript Typing Using JSDoc Jared White
📄 How to Use GitHub Copilot Spaces to Debug Issues Faster Andrea Griffiths (GitHub)
🛠 Code & Tools
ts-exec: Execute TypeScript on Node using SWC — From the creator of Adonis comes another way to run TypeScript on Node. While Node 22.18+ supports type stripping, ts-exec supports JSX and decorators and has some benefits over ts-node and tsx.
Harminder Virk
BoldSign eSignature API & SDK — Built for Developers, Easy to Integrate — ✍️ Ship secure e-signatures in your app in minutes with the BoldSign SDK & API. Get your free API key and start testing today.
BoldSign sponsor
iceberg-js: A JavaScript Client for Apache Iceberg — A minimal, vendor-agnostic JavaScript client for the Apache Iceberg REST Catalog API.
Katerina Skroumpelou (Supabase)
Remend: Automatic Recovery of Broken Streaming Markdown — Bring intelligent incomplete Markdown handling to your app, particularly useful if working with LLMs, say. It’s extracted from Vercel’s Streamdown library, a drop-in replacement for react-markdown, designed for AI-powered streaming.
Hayden Bleasel (Vercel)
GitHub Actions’ setup-node 6.1 – A minor bump for the action that installs Node within a GitHub Actions run.
🤖 OpenAI Node 6.10 – The official Node library for OpenAI’s API adds support for gpt-5.1-codex-max and compaction.
jsdom 27.3 – Pure JS implementation of WHATWG DOM and HTML standards.
📸 exiftool-vendored.js 34.0 – Use ExifTool to get metadata from photos.
Mongoose 9.0.1 – Popular MongoDB object modeling library.
hot-shots 11.4 – Node.js client for statsd, DogStatsD, and Telegraf.
pnpm 10.25 – The alternative, efficient package manager.
Prisma 7.1 – Popular ORM for Node.js and TypeScript.
Prettier 3.7 – The opinionated code formatter.
📢 Elsewhere in the ecosystem
A roundup of some other interesting stories in the broader landscape:
Anthropic, best known for its Claude LLMs, has acquired the company behind the Bun JavaScript runtime. Bun will remain open source.
In other Bun news, Bun v1.3.4 was released with support for URLPattern, fake/controllable timers in its test runner, and console.log now supports the %j specifier like Node does.
🎧 Microsoft has launched a VS Code Insiders podcast to allow the VS Code team to go “beyond the release notes” and talk about VS Code’s features and adjacent ecosystem.
Gleb Bahmutov has been publishing a daily Cypress vs Playwright advent calendar this month.
Oxlint introduces type-aware linting in alpha form.
🎂 JavaScript was first announced in this press release 30 years ago.
