#​592 — September 9, 2025

Read on the Web

Together with  Code Rabbit
Node.js Weekly

A Major Supply Chain Attack Hits the npm Ecosystem — In July, Socket warned us about a phishing campaign targeting npm package publishers. Sadly, a prolific package author (among others, like DuckDB, who explain how the attack worked on them) fell victim to the scam, resulting in some popular packages becoming compromised (like Chalk, debug, and others).

Gooding, Brown, et al. (Socket)

💡 Inspired by the above story, Zbyszek Tenerowicz shows off an interesting tool / Webpack plugin (that he works on) called LavaMoat that can be used to sandbox / contain dependencies that are only made available by way of defined policies.

CodeRabbit’s Free AI Code Reviews in IDE - VS Code, Cursor, Windsurf — Code Rabbit brings AI code reviews to VS Code, Cursor & Windsurf. Get line-by-line reviews, one-click fixes & codebase-aware feedback - all free in your IDE. Seamlessly integrates with git workflows. Install the extension & start reviewing!

CodeRabbit sponsor

Bringing Node HTTP Servers to Cloudflare Workers — A few weeks ago we linked to an item that noticed Cloudflare Workers' local dev tools had begun to support Express.js apps – now support has come to Workers proper, with support for node:http’s client and server APIs if you enable Node.js compatibility.

Nizipli and Snell (Cloudflare)

IN BRIEF:

Node.js v20.19.5 (LTS) Released — A quiet release dominated by bugfixes and a large number of dependency updates. It arrived quickly after v22.19.0 (LTS), which unflagged --experimental-wasm-modules, added server.keepAliveTimeoutBuffer to http, and added the ability for Node to use the system’s certificate authority (CA) via the NODE_USE_SYSTEM_CA environment variable.

Marco Ippolito

📄 Getting Accurate Text Lengths with Intl.Segmenter – A useful tip for when str.length isn’t returning what you’d quite expect.. Sangeeth Sudheer

📺 Handling 500 Million Clicks with a $4 VPS – A developer goes behind the scenes of his Node.js-backed site that went viral. Andrew Schmelyun

📄 Why I Ditched Docker for Podman (And You Should Too) Dominik Szymański

📄 UDP in Node.js: A Technical Guide Pavel Romanov

🛠 Code & Tools

Mediabunny: A Complete Media Toolkit for JavaScript — A library to read, write and convert popular media file formats (e.g. MP4, MP3, and more) without leaning on dependencies like FFmpeg. You can make thumbnails, extract metadata, write code that gets converted into a video, and more. GitHub repo.

Vanilagy

Rocketadmin: An Efficient and Secure No-Code Back Office Solution — Save time and make things easier for your users with a powerful, feature-rich admin panel. We support all main databases.

Rocketadmin sponsor

sqs-consumer 13.0: Build Amazon SQS-Based Apps Without Boilerplate — Build SQS-based (Simple Queue Service) apps without the boilerplate. Just define an async function to handle the SQS message processing. If it’s good enough for the BBC..

BBC

github-script 8.0: Script the GitHub API in Actions Workflows — If you want to write GitHub Actions that perform operations via the GitHub API using JavaScript, this is for you. Now supports Node.js 24.

GitHub Actions

📰 Classifieds

Master Node API design with ▶️ this video course. Learn API anatomy, auth, testing, deployment, and more. New members get $100 off a yearly membership.


Go beyond caching. Redis 8.2 handles 5x more data with 150 new commands and 8 new data structures vs 7.2. Try Redis Pro—first $200 free.

📢  Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape: