Node JS
Node JS

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

1 day ago

Node JS

NodeJS Proposes Built-In Virtual File System, Sparking Debate Over AI-Generated Contributions

6 days ago

Node JS

Why Senior Node.js Developers Need Production Context Inside the IDE

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

Automatic Sourcemap Retrieval in Production: Debugging Without the Friction

Debugging Node.js applications in production is complicated due to sourcemap management issues.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

Node.js v26 Is Here: What Actually Changed

Node.js v26.0.0 introduces the Temporal API by default, V8 14.6, Undici 8, and new deprecations for modernization.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

A Better Streams Model for JavaScript Is Taking Shape

The Node.js ecosystem is evolving to make streams easier to use while maintaining their powerful capabilities.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

Scan, Analyze, Execute: NodeSource's Three-Step Workflow for Stress-Free Node.js Migration

NodeSource and OpenJS Foundation launch a program to help companies upgrade from outdated Node.js versions to the latest LTS releases.

1 day ago

NodeJS Proposes Built-In Virtual File System, Sparking Debate Over AI-Generated Contributions

A node:vfs module would add a first-class in-memory virtual file system to Node.js core, enabling diskless workflows, sandboxing, and faster testing.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

6 days ago

Why Senior Node.js Developers Need Production Context Inside the IDE

Modern Node.js workflows are centralized in IDEs, but production runtime visibility remains disconnected from coding context.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

Automatic Sourcemap Retrieval in Production: Debugging Without the Friction

Debugging Node.js applications in production is complicated due to sourcemap management issues.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

Node.js v26 Is Here: What Actually Changed

Node.js v26.0.0 introduces the Temporal API by default, V8 14.6, Undici 8, and new deprecations for modernization.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

A Better Streams Model for JavaScript Is Taking Shape

The Node.js ecosystem is evolving to make streams easier to use while maintaining their powerful capabilities.

fromThe NodeSource Blog - Node.js Tutorials, Guides, and Updates

Scan, Analyze, Execute: NodeSource's Three-Step Workflow for Stress-Free Node.js Migration

NodeSource and OpenJS Foundation launch a program to help companies upgrade from outdated Node.js versions to the latest LTS releases.

Friday Links #38 - Modern JavaScript, AI Coding Tools & Web Releases

TypeScript 6.0 serves as a bridge toward TypeScript 7, aligning with modern ESM workflows and evergreen runtimes while Bun and Deno advance developer tooling.

fromLogRocket Blog

How to build your first MCP server with Node.js - LogRocket Blog

MCP enables AI models to call real tool functions, letting them perform deterministic actions like database queries and file operations via an MCP server.

3 days ago

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

Although the affected packages were all Composer packages, the malicious code was not added to composer.json. Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code. This cross-ecosystem placement makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist.

Node JS

6 days ago

AntV data visualization tool the latest to be hit by ongoing npm supply chain attacks

A compromised npm account enabled rapid publication of hundreds of malicious package versions, infecting many AntV namespace packages and spreading via a worm.

fromnews.bitcoin.com

822K Downloads at Risk: Malicious node-ipc Versions Spotted Stealing AWS and Private Keys

Three tainted node-ipc releases automatically steal developer and cloud credentials via DNS tunneling, affecting projects that installed or updated them.

fromThe Cyber Express

Node-ipc Npm Package Hit By Credential Stealer Attack

Malicious node-ipc npm releases used obfuscated code to fingerprint systems, steal files, encrypt data, and exfiltrate via DNS, with prior versions also compromised.

The Tiny Proxy That Fixed Local Development for Our Multi-Repo Frontend

A local HTTPS reverse proxy with path-based routing and API proxying enables micro-frontends to run like a monolith on one domain.

#npm

Node JS

Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

Axios npm Package Compromised in Supply Chain Attack

A significant supply chain attack on Axios introduced a Remote Access Trojan via hijacked maintainer accounts, affecting numerous developer environments.

fromBleepingComputer

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.

Node JS

Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

Axios npm Package Compromised in Supply Chain Attack

A significant supply chain attack on Axios introduced a Remote Access Trojan via hijacked maintainer accounts, affecting numerous developer environments.

fromBleepingComputer

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.

AdonisJS v7 Ships End-to-End Type Safety, Reworked Starter Kits and Zero-Config OpenTelemetry

AdonisJS v7 adds end-to-end type safety via codegen, typed routing, serialization, and type-safe API clients, alongside new starter kits and improved observability and docs.

fromTanstack

2 weeks ago

Postmortem: TanStack npm supply-chain compromise | TanStack Blog

The malicious versions were detected publicly within 20 minutes by an external researcher ashishkurmi working for stepsecurity. All affected versions have been deprecated; npm security has been engaged to pull tarballs from the registry. We have no evidence of npm credentials being stolen, but we strongly recommend that anyone who installed an affected version on 2026-05-11 rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host.

Node JS

fromNew Relic

2 weeks ago

OpenTelemetry Collector Configuration for New Relic Language Agent Error Filtering | New Relic

NR language agents can therefore be configured to ignore certain errors by HTTP status code or error class. The result is that errors are still sent to New Relic, but are prevented from affecting error rate or appearing in errors inbox.

Node JS

fromBleepingComputer

2 weeks ago

Critical vm2 sandbox bug lets attackers execute code on hosts

A critical vulnerability in vm2 allows escaping the sandbox and executing arbitrary code on the host system.

Friday Links #37 - Dev Tools, AI & JS Updates

JavaScript updates focus on significant performance improvements, new tools, and AI-driven workflows that impact real-world projects.

fromAllthingssmitty

Node JS

Why I don't chain everything in JavaScript anymore - Matt Smith

fromCSS-Tricks

Node JS

A Well-Designed JavaScript Module System is Your First Architecture Decision | CSS-Tricks

fromFrontendmasters

What To Know in JavaScript (2026 Edition)

JavaScript's ECMAScript 2025 introduces new iterator methods and improved set functionalities, enhancing performance and usability for developers.

fromAlex MacArthur

Your options for preloading images with JavaScript

Preloading images in JavaScript can be achieved through various methods, with the best choice depending on specific circumstances.

State of JavaScript 2025: Survey Reveals a Maturing Ecosystem with TypeScript Cementing Dominance

TypeScript continues to dominate the JavaScript ecosystem, with 40% of developers using it exclusively, while Vite surpasses Webpack in satisfaction.

fromSubstack

Friday Links #37 - Dev Tools, AI & JS Updates

JavaScript updates focus on significant performance improvements, new tools, and AI-driven workflows that impact real-world projects.

fromAllthingssmitty

Why I don't chain everything in JavaScript anymore - Matt Smith

Chaining methods in JavaScript can complicate readability and debugging, making step-by-step coding often clearer and easier to manage.

fromCSS-Tricks

A Well-Designed JavaScript Module System is Your First Architecture Decision | CSS-Tricks

JavaScript modules enable private scopes and controlled global access, essential for managing large programs and avoiding conflicts.

fromFrontendmasters

What To Know in JavaScript (2026 Edition)

JavaScript's ECMAScript 2025 introduces new iterator methods and improved set functionalities, enhancing performance and usability for developers.

fromAlex MacArthur

Your options for preloading images with JavaScript

Preloading images in JavaScript can be achieved through various methods, with the best choice depending on specific circumstances.

State of JavaScript 2025: Survey Reveals a Maturing Ecosystem with TypeScript Cementing Dominance

TypeScript continues to dominate the JavaScript ecosystem, with 40% of developers using it exclusively, while Vite surpasses Webpack in satisfaction.

NestJS v12 Roadmap: Full ESM Migration, Standard Schema Validation and Modernised Toolchain

NestJS v12.0.0 will fully migrate to ESM, introduce Standard Schema support, and modernize the toolchain with Vitest and oxlint.

fromEngadget

It runs Doom: AI chatbot edition - Engadget

AI chatbots can now run a playable version of Doom using Model Context Protocol.

4 weeks ago

npmx Reaches Alpha: Community Driven Alternative Browser for the npm Registry

npmx is an open-source package browser for npm that offers a faster, feature-rich experience compared to npmjs.com.

Is your Node.js project really secure?

Dependency security workflows in JavaScript and Node.js lack actionability, leading to late awareness of risks and ineffective responses.

pnpm 11 Release Candidate: ESM Distribution, Supply Chain Defaults and a New Store Format

pnpm 11 RC introduces significant changes in performance, security, and configuration, including a new SQLite-backed store and isolated global installs.

Bun 1.1.13 out with memory fixes as dev complain of leaks

Bun JavaScript runtime 1.1.13 improves testing support and memory management, addressing critical issues like memory leaks in production environments.

fromhowtocenterdiv.com

Bun vs Node.js Performance: Why Your Event Loop Is the Real Bottleneck

Bun outperforms Node.js in specific benchmarks, but real-world performance issues often stem from database and CPU bottlenecks, not runtime choice.

Bun 1.1.13 out with memory fixes as dev complain of leaks

Bun JavaScript runtime 1.1.13 improves testing support and memory management, addressing critical issues like memory leaks in production environments.

fromhowtocenterdiv.com

Bun vs Node.js Performance: Why Your Event Loop Is the Real Bottleneck

Bun outperforms Node.js in specific benchmarks, but real-world performance issues often stem from database and CPU bottlenecks, not runtime choice.

webllm/webblackbox: A Web Blackbox

WebBlackbox records web app interactions and errors, allowing for detailed session replay and debugging.

Linux 7.1 will have an optional new NTFS driver

Linux kernel 7.1 introduces a new read-write NTFS driver, emphasizing clean and maintainable code over significant performance improvements.

I got tired of wiring the same caching stack every project, so I built LayerCache

LayerCache simplifies caching by stacking multiple layers and handling cache misses efficiently.

Pulumi Adds Full Bun Runtime Support

Bun is now a fully supported runtime for Pulumi, allowing developers to execute infrastructure programs without Node.js installation.

fromRaymondcamden

Summarizing Docs with Built-in AI

On-device summarization of various document types, including Office formats, is achievable using libraries like officeParser and Chrome's Summary API.

Using AWS Lambda Extensions to Run Post-Response Telemetry Flush

Lambda extensions enable post-response work, improving API response times by managing telemetry flushing without impacting request handling.

NVD

Axios library versions prior to 1.15.0 are vulnerable to Prototype Pollution, leading to Remote Code Execution and Full Cloud Compromise.

fromSecurityWeek

Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious Axios NPM library versions were distributed in a supply chain attack by North Korean hackers, affecting millions of users.

fromAxios

North Korean hackers implicated in major supply chain attack

A compromised maintainer account for the Axios npm package led to the publication of malicious software versions targeting various operating systems.

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios experienced a supply chain attack due to malicious dependencies in two npm package versions.

fromNist

NVD

Axios library versions prior to 1.15.0 are vulnerable to Prototype Pollution, leading to Remote Code Execution and Full Cloud Compromise.

fromSecurityWeek

Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious Axios NPM library versions were distributed in a supply chain attack by North Korean hackers, affecting millions of users.

fromAxios

North Korean hackers implicated in major supply chain attack

A compromised maintainer account for the Axios npm package led to the publication of malicious software versions targeting various operating systems.

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios experienced a supply chain attack due to malicious dependencies in two npm package versions.

Testing OCR with Chrome Built-in AI

Chrome's built-in AI can perform OCR on images, enabling text extraction and bounding box identification.

fromNist

NVD

Tinyproxy versions up to 1.11.3 are vulnerable to HTTP request parsing desynchronization due to case-sensitive Transfer-Encoding header comparison.

fromYcombinator

Show HN: I rewrote my 2012 self-signed cert generator in Go - cert-depot.com | Hacker News

A new certificate generation tool was built in Go, eliminating external dependencies and improving security features.

fromSecurityWeek

Guardarian Users Targeted With Malicious Strapi NPM Packages

A supply chain attack targeting the Strapi ecosystem involved 36 malicious NPM packages delivering various harmful payloads.

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

36 malicious npm packages disguised as Strapi CMS plugins facilitate exploitation and credential harvesting.

Are We Ready for the Next Cyber Security Crisis Like Log4shell?

Organizations are not prepared for the next cybersecurity crisis, similar to Log4Shell.

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

36 malicious npm packages disguised as Strapi CMS plugins facilitate exploitation and credential harvesting.

Are We Ready for the Next Cyber Security Crisis Like Log4shell?

Organizations are not prepared for the next cybersecurity crisis, similar to Log4Shell.

How to Build Your First Full Stack App as a Beginner

Building a simple full stack project enhances understanding of front end, back end, and database interactions beyond theoretical knowledge.

fromhowtocenterdiv.com

Database Performance Bottlenecks: N+1 Queries, Missing Indexes, and Connection Pools

Database issues, like missing indexes and N+1 queries, are often overlooked in software engineering, leading to persistent performance problems.

fromZDNET

How this strange little distro can boost your Linux skills

Peropesis is a command-line-only OS that can only be run as a live instance. Users log in with the root user and should change the password immediately.

Node JS

Inside Netflix's Graph Abstraction: Handling 650TB of Graph Data in Milliseconds Globally

Netflix engineers developed Graph Abstraction to manage large-scale graph data in real time, enabling fast queries and supporting various internal services.

QCon London 2026: Running AI at the Edge - Running Real Workloads Directly in the Browser

Running AI in the browser enhances privacy, reduces latency, and lowers costs by eliminating reliance on third-party cloud services.

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean threat actors use StoatWaffle malware via malicious VS Code projects to steal data and execute commands on infected systems.

I Scanned 10 Popular GitHub Actions Workflows for Undocumented Environment Variables. Here's What I Found.

Many popular JavaScript projects have undocumented environment variables in their GitHub Actions workflows, leading to potential issues for developers forking these projects.

Edge.js launched to run Node.js for AI

Edge.js is a WebAssembly-based JavaScript runtime that safely executes Node.js applications with faster startup times by sandboxing workloads through WASIX.

Why I Stopped Maintaining .env.example by Hand

A new tool automatically discovers environment variables used in Node.js code to prevent stale .env.example files from causing deployment failures.

fromgithub.com

zahhar/ghcp-dashboard: Dashboard with Github Copilot Metrics

A lightweight Node.js dashboard aggregates GitHub Copilot usage metrics via REST API to display team adoption patterns, user engagement, and model/IDE preferences through a browser-based leaderboard interface.

fromAllthingssmitty

Native JSON modules are finally real - Matt Smith

Import attributes enable native JSON module support in JavaScript, eliminating the need for bundler transforms by allowing explicit type declaration with the `with { type: "json" }` syntax.

fromSitePoint Forums | Web Development & Design Community

Node.js: Best pattern to retry failed API calls without creating duplicate side effects?

Implement idempotency through request fingerprinting with an outbox pattern to safely retry third-party API calls when timeout behavior is uncertain and duplicates must be prevented.

TypeScript 6.0 reaches release candidate stage

TypeScript 6.0 reached release candidate stage with improved type checking for function expressions in generic calls, scheduled for general availability on March 17.

fromTechzine Global

New npm browser npmx addresses shortcomings of npmjs

Npmx, an open-source alternative interface to npm's official website, addresses widespread developer dissatisfaction with the current package registry's user experience and presentation of package information.

Why local-first matters for JavaScript

JavaScript innovation accelerates through local-first SQL datastores, universal isomorphic JavaScript via WinterTC, reactive signals adoption, NPM alternatives, Java-JavaScript bridges, and Deno's resurgence.

npmx alternative to npmjs released to fix pain of rpm

npmx is about speed and simplicity. It gives you useful data like install size, module format and outdated dependencies ... we're also building social features into npmx because open source is better when it's easier to connect with the people behind the packages.

Node JS

fromDevOps.com

Malicious NPM Package Gets Downloaded 50K Times Before Discovery - DevOps.com

A malicious npm package downloaded 50,000 times used naming deception and preinstall script hooks to evade detection and compromise Windows, Linux, and macOS systems.

fromMedium