Node Weekly Issue 629: June 18, 2026

#629 — June 18, 2026

Together with

Nub: An All-in-One Toolkit That Augments Node — While Bun and Deno try to replace Node, this project from Zod’s creator (and a former Bun employee) extends your existing Node and package manager with nice-to-haves, like fuller TypeScript support (beyond what type stripping offers), faster and more secure package installation, and fuller .env handling.

Colin McDonnell et al.

Free Claude Code Course from Anthropic + Master.Dev — Coding is changing fast, and the engineers who thrive will be the ones who direct AI instead of guessing at it. Lydia Hallie from Anthropic teaches exactly that in our Claude Code course, now free for everyone.

Master.dev sponsor

Node.js 26.3.1, 24.17.0, and 22.23.0 Released — The latest round of security releases is here, with 26.3.1 (Current), 24.17.0 (LTS), and 22.23.0 (LTS) fixing eleven vulnerabilities. Two are of 'high' severity: one around normalizing hostnames for server identity checks in tls, and the other in WebCrypto.

Antoine du Hamel

🔒 The releases above also include Undici 8.5.0 which has addressed some security advisories of its own.

IN BRIEF:

As npm prepares to disable install scripts by default, Andrew Nesbitt looks at how other tools and ecosystems handle install-script allow-listing.
Iroh 1.0 is a peer-to-peer encrypted networking stack that punches through NAT and firewalls. It's built in Rust but has official Node.js bindings.
Babel 8.0 has been released: no new features, but with a focus on modernization. It's ESM-only, ships TypeScript types, and no longer compiles to ES5 and CommonJS by default.

Shipping psql Without psql: A Pure-TypeScript Postgres Client — Postgres platform Neon wanted the experience of Postgres’ psql client in their own Node-powered CLI, without the binary dependency. Here’s how they did it using AI, a strong conformance harness, and a security review.

Vadim Kharitonov (Neon)

A Backdoor in a LinkedIn Job Offer — A hacker, posing as a recruiter on LinkedIn, asked the author to diagnose an issue in a Node project, but the dependencies had a backdoor included. Both the recruiter and the git repo involved also used real identities of people unrelated to the scam.

Roman Imankulov

How LinkedIn Unlocked 18x Code Review Throughput — See how LinkedIn used Orkes and multi-agent workflows to scale code reviews 18x.

Orkes sponsor

📄 What are Git Worktrees, And Why Should I Use Them? – A decade-old git feature that's seen a boost in the AI agent era. Cassidy Williams (GitHub)

📄 Setting Node and pnpm Versions in Cloudflare Workers Programmatically – “I’ve wasted a couple of hours so you don’t have to.” Sen Hongo

📄 Wasp Now Lets You Write Your Full-Stack Logic as a Spec in TypeScript – Say goodbye to the React + Node.js + Prisma full-stack framework’s custom .wasp DSL. Martin Sosic (Wasp)

📄 Why pnpm No Longer Expands Environment Variables in .npmrc Zoltan Kochan

🛠 Code & Tools

✉️ Nodemailer 9.0: Easily Send Emails from Node.js — A long-standing, popular way to send emails over SMTP, through SES, or Sendmail. v9.0 now validates TLS connections by default when fetching remote content.

Andris Reinman

zod-compiler: Compile Zod Schemas Into Zero-Overhead Validators — A build-time compiler that plugs into Vite, webpack, et al. and rewrites existing schemas into optimized, tree-shakeable validators, with the full Zod API preserved.

Gajus Kuizinas

💬 Node Telegram Bot API 1.0/1.1 — Interact with the official Telegram Bot API from Node. Now modernized, rewritten in TypeScript, and ESM-only, with Telegram Bot API 10.1 support.

Yago

eslint-plugin-unicorn 67.0: 200+ Powerful Linting Rules — Sindre’s set of rules that will seriously challenge (and improve) your code, whether it's comments, the depth of nested calls, preferring Temporal over Date, and more.

Sindre Sorhus et al.

📰 Classifieds

⚙️ clerk deploy walks your app to production: instance clone, DNS setup, OAuth credentials, SSL check. Guided, resumable, and available now.

AI writes a growing share of Node services, but your reviewer hasn't caught up to its mistakes. pr-af is AgentField's multi-agent low cost reviewer: compiled per PR, runs on open/closed models. → Star & deploy.

XO 3.0 – Opinionated ESLint wrapper that enforces strict and readable code with zero configuration. Includes eslint-plugin-unicorn (above).
Playwright 1.61 – You can now register and test passkeys, as well as read/write to localStorage and sessionStorage via a new WebStorage API.
ESLint v10.5.0 – Five core rules now highlight smaller ranges of code to avoid shadowing other problems in editors.
Axios 1.18.0 – Security fixes and hardening for the promise-based HTTP client.
node-gyp 13.0 – Cross-platform tool for compiling native addon modules.
graphql-js 17.0 – Official reference implementation of GraphQL for JavaScript.
Faker 10.5 – Generate realistic but fake data for testing and development.
Nx 23.0 – Build system for TypeScript and polyglot monorepos.
BSON Parser 7.3 – BSON parser library.