Node Weekly Issue 572: April 1, 2025

#572 — April 1, 2025

Together with

Express 5.1: Express 5 Finally Becomes the 'Latest' Release — After a period of some dormancy, Express 5.0 was released last year, but remained a somewhat experimental ‘edge’ release as it went through a security audit and process of building up new governance. With 5.1, however, Express 5.x finally becomes the ‘latest’ tagged release on npm, so be careful with those upgrades (luckily there’s a migration guide).

Express Technical Committee

💬 I was amused by some discussion about the release on Reddit, where maintainer Wes Todd said: "We tried to kill [Express] over and over and it keeps on getting up and converting more people into zombies for the zombie mob. So we did the best we could to research a way to bring it back from zombie status."

ThePrimeagen's Dev Setup Is Better Than Yours — See why simpler dev tooling is better by hand-crafting an environment with bash scripts. You'll learn common Unix tools for managing libraries, interacting with the OS, window management, and more in this course.

Frontend Masters sponsor

Land Ahoy: Leaving the Sea of Nodes — A deeply technical post from a core member of the V8 JavaScript engine team that explains the limitations of Turbofan, one of V8’s optimizing compilers. If you don’t care for the internals of how your JavaScript is compiled and run, just be assured the V8 team is working to make it run even faster!

Darius Mercadier (V8)

IN BRIEF:

Node v18.20.8 (LTS) has been released. It's noteworthy mostly due to v18 going 'end of life' later this month. OpenSSL and root certificates get a bump to keep you going for a little longer, but you should update from v18 to v20 or v22 whenever you can.
Access to Node.js's test CI infrastructure has been restricted due to an as-yet-undisclosed vulnerability. A full report of the incident is forthcoming.

📄 Malware Found on npm Infecting Local Package with Reverse Shell – “For the first time, RL researchers discover malicious locally-installed npm packages infecting other legitimate packages.” Lucija Valentić (ReversingLabs)

📄 5 GitHub Actions Every Maintainer Needs to Know Finley and Davis (GitHub)

📄 How to Set Up TypeScript with Node.js and Express Aman Mittal

🛠 Code & Tools

Teable: Open Source Airtable Alternative atop Postgres — Airtable is a popular data table database SaaS, but here’s a NestJS-powered open-source alternative in a similar manner that sits atop Postgres. GitHub repo.

Teable Team

Nōdo: A Way to Call Node.js from Ruby — A mechanism for letting Ruby scripts make calls to Node.js-based functions via a Unix socket-based IPC approach. (We also learn that “ノード” means “node” in Japanese.)

Matthias Grosser

Playwright MCP: Connect LLMs to Browsers with Playwright — MCP (Model Context Protocol) servers enable certain LLM-based agents (such as Claude Desktop, Claude Code, and Cursor) to perform actions on systems outside of their usual sandbox. This new project from Microsoft enables such LLMs to interact with Web pages via Playwright.

Microsoft

Neutralinojs 6.0: Alternative Cross-Platform Desktop App Approach — Neutralinojs offers an interesting lightweight alternative to something like Electron, as it still lets you build apps that run on Linux, Windows and macOS, but Chromium isn’t bundled – instead the existing installed browser engine is used.

CodeZri

⭐ zx 8.5 – Google's tool for better Node shell scripting.
🤖 node-llama-cpp 3.7 – Run LLMs locally with bindings to llama.cpp.
Axios 0.30 – Long-standing, promise-based isomorphic HTTP client.
Fastify 5.2.2 – The fast, low overhead Node.js web framework.
serve-static 2.2 – A quick way to serve static files from Node.
Verdaccio 6.1 – Lightweight Node.js private proxy registry.
pnpm 10.7 – The fast, efficiency-focused package manager.
Babel 7.27.0

📰 Classifieds

🇫🇷 The Node & Conquer mini-conf hits Paris 4 April! Free talks on running Node in prod, great food & speakers from Sanofi, Allianz, Platformatic & Heal.dev. Sign up!

📸 From Image to Insights – Upload a photo, get a license plate decoded. Our Plate Image Recognition API does it fast and accurately. Try CarsXE Now!

📢 Elsewhere in JavaScript

A roundup of some other interesting stories in the broader JavaScript landscape, in case you've missed them:

The State of Vue.js Report 2025 is one of the best writeups of a community survey I've seen, complete with thorough interviews with Evan You and members of the Nuxt core team, as well as the usual stats.
🤖 If you haven't checked out Google's Gemini AI tool recently, it now supports generating HTML, JavaScript, and React code in a 'canvas' mode for building components on the fly.
ls-lint is a mature tool for linting file and directory names in projects.
LLM wrangler Simon Willison was getting annoyed at being unable to easily visualize incomplete JSON documents so he built an 'incomplete JSON' pretty printer.