Node Weekly Issue 618: April 2, 2026

#618 — April 2, 2026

Together with

Node.js 25.9.0 (Current) Released — Including a --max-heap-size option to set the maximum heap size for a process, James Snell’s experimental ‘better streams API’ implementation lands as stream/iter (docs here), plus test runner module mocking improvements.

Antoine du Hamel

Memetria K/V: Efficient Redis & Valkey Hosting — Memetria K/V hosts Redis OSS and Valkey for Node.js apps, featuring large key tracking and detailed analytics.

Memetria sponsor

The Hidden Blast Radius of the Axios Compromise — You’ve probably heard about the supply chain attack via Axios this week (if not, be sure to check if you’re affected). Ahmad reflects on the mechanics of such attacks and why their effects spread further than you might think.

Ahmad Nassri (Socket)

💡 If you want to mitigate such attacks, Dani Akash has a guide to using 'minimum release age' cooldowns with npm, pnpm, Bun, and Yarn.

IN BRIEF:

MSW's Artem Zakharchenko shares a step-by-step guide to publishing to npm securely in 2026.
The source code for Claude Code leaked a few days ago due to the accidental shipping of source maps in its npm package. A Bun-related issue, but a reminder of how powerful source maps can be.
Cloudflare has released EmDash, a 'spiritual successor to WordPress' that runs both on Cloudflare or 'any Node.js server'.

A Gentle Intro to npm Workspaces — With workspaces, you can manage multiple packages in one repo and link local packages so they can import each other by name. npm may then hoist and deduplicate compatible dependencies during install.

Carlos Precioso (Wasp)

Run Agents on Production-Fidelity Sandboxes — Ox spins up a sandbox for every agent task. Isolated code, compute, and data. Test against prod with zero blast radius.

Ox sponsor

▶️ Most Developers Misunderstand Node.js in Production – A quick 6-minute interview with core contributor Ulises Gascón. Beyond.js (NodeSource)

🤖 Getting Started Building Agents with the Vercel AI SDK in Node Valeri Karpov

📄 Escaping Node.js's Permission Model via Brotli maitai

📄 Why We Replaced Node.js with Bun for 5x Throughput Nick at Trigger

🛠 Code & Tools

🤖 Transformers.js v4: Run AI Models from JavaScript — Run Hugging Face-hosted models to do things like LLMs, vision, and audio models from Node, in the browser, etc. v4 switches to WebGPU and is installable with npm. There are many demos covering speech transcription, using Qwen 3.5, and video captioning.

Hugging Face

💡 The browser demos use large model downloads, so server-side use with Node may be the best use case, even if not the coolest.

node-re2: Bindings for Google's RE2 Regex Library — RE2 is a regular expression library with linear-time matching, making it immune to ReDoS attacks caused by backtracking. node-re2 offers it as a near drop-in replacement for RegExp.

Eugene Lazutkin

Defuddle: Extract the Main Content from Pages — Strips clutter from HTML leaving only the primary content for you to use. There’s a demo where you can try it out.

Steph Ango

dotenv 17.4 – Loads environment variables from .env files into process.env. While now a built-in Node feature, dotenv is a popular dependency with 100M+ downloads a week and offers finer-grained control over the process.
numpy-ts 1.2 – NumPy implementation for TS/JS. Now at ~50% native perf and with Float16 support. (Homepage)
Path-to-RegExp 8.4 – Library to convert path strings with parameters into regexes.
globby 16.2 – Promise-based glob matching, now with global gitignore file support.
ts-blank-space 0.8 – Pure JS type-stripper using the TypeScript 6 parser.
Aedes 1.0.2 – Node.js MQTT broker that runs on any stream server.
Ky 2.0 Prerelease – Popular HTTP client based on the Fetch API.
Got 15.0 – Human-friendly, powerful HTTP request library.
ESLint Markdown Plugin 8.0 – Lint Markdown with ESLint.
file-type 22.0 – Detect the file type of binary files.

📰 Classifieds

🧐 A cheaper Heroku? Our cost comparison calculator puts the PaaS alternatives head-to-head.

Become an AI-first engineer. Gauntlet is a full-time fellowship, no cost. $200K+ roles. Next cohort starts 4/27. Apply Today

SerpApi is a Web Search API for accessing Google and other search engine results in structured JSON. Try SerpApi for free.

📢 Elsewhere in the ecosystem

WWWBasic is a curious Google-hosted project to use the BASIC language in script tags or within Node apps. It's had its first update in years (1.0.2) to add ESM support and improve a few things. This seems to be a true labor of love for Googler Brad Nelson.
QuickBEAM is a JavaScript runtime for Erlang's BEAM VM, as also used by Elixir. It offers compatibility with core Node.js APIs.
Deno v2.7.11 has been released with "tons of Node.js compatibility improvements" covering crypto, child_process, workers, and TTY handling on Windows to match libuv's behavior.
wasm-git is a WASM-compiled version of Git you can use directly from Node. We first linked to this six years ago when it was a mere experiment, but it's come a long way since then.