Node Weekly Issue 628: June 11, 2026

#628 — June 11, 2026

Together with

npm v12 to Stop Running Install Scripts by Default — After a year of supply chain attacks, npm v12 will no longer execute preinstall, install, or postinstall scripts, unless you allow them with a new npm approve-scripts workflow. You can prepare today by upgrading to npm 11.16.0 which prints warnings about anything v12 would block.

GitHub

🔒 npm install will no longer resolve git or remote URLs by default either – these can be switched on using --allow-git and --allow-remote.

Come for Great PostgreSQL Talks – Virtual and Free — Attend talks about PostgreSQL backed app development at POSETTE: An Event for Postgres 2026 (16-18 June). Join live and chat directly with PostgreSQL speakers, other developers and users. There is also swag waiting for you. Register for updates.

Microsoft | AMD sponsor

Node's New Release Schedule and Version Numbers Explained — Node’s moving to a one major release per year cadence as of Node 27 and adding a new ‘alpha’ channel for testing and experimentation. Luciano goes deep into how it’s happening, when, and why.

Luciano Mammino

IN BRIEF:

🔒 New versions of Node.js v26.x, 24.x, and 22.x will be released on, or shortly after, Wednesday, June 17 to address security issues – the highest severity of which is 'HIGH'.
🔒 As the npm worms/supply chain attacks continue, I was intrigued to see this vulnerability report from 2016 which predicted our current woes.
The Drizzle ORM team is 𝕏 unable to publish new releases to npm due to the registry's 100MB metadata limit. Their package currently has 1,397 versions published and will need some cleanup.
In less alarming registry news, an npm tooling bug briefly marked several packages with one-character names as ‘security holders’ (including c, i, n and x) by mistake. A rollback is underway.

📊 ESM Provision by Popular npm Packages Sees a Big Jump — Titus’s twice-yearly look at what popular packages ship finds 38% now expose ESM (and 16% are ESM only), up from 33.4% six months ago.

Titus Wormer

Your Event-Driven Service Deserves an Event-Ready Database — TimescaleDB is Postgres built for time-ordered data. Hypertables, 95% compression, continuous aggregates. $1000 credit.

Tiger Data (creators of TimescaleDB) sponsor

📄 Uncovering the Magic Behind Playwright's Fixtures API – Learn how Playwright knows which fixtures your test needs just from its function signature. Vladimir Ivakin

📄 I Wish Deno Would Keep Doing What It Does Best – “Early Deno set the agenda (…) What Deno is doing now runs in the opposite direction, catching up to what the ecosystem already has.” Hong Minhee

📄 Creating a VS Code Agent Hook to Respond to File Changes Nicholas C. Zakas

🛠 Code & Tools

Node-RED 5.0: The Biggest Editor Overhaul in the Project's History — The Node.js and 'node'-based low-code environment gets "the biggest change to the editor experience in [its] history": updated sidebars, dark theme (above), pausable debug output, and the ability to call Link nodes from Function nodes.

Nick O'Leary

Bonsai: A Safe Expression Language for User-Defined Rules — A fast, sandboxed expression language for when you need to evaluate user-supplied rules, filters, or templates without reaching for eval. Try the playground.

Daniel Fry

DepsGuard: A Tool to Harden npm, pnpm, Yarn and Bun Configs — Can't wait for npm v12's safer defaults? This Rust-based tool audits and rewrites your package manager config, disabling install scripts, enforcing cooldowns, and blocking provenance downgrades.

Arnica

⭐ Commander.js 15.0 – The popular CLI framework is now ESM-only. v14 will be maintained till May 2027 in case you have trouble migrating.
🎬 NodeAV 6.0 – Direct access to FFmpeg's C APIs with minimal abstractions for working with codecs, filters, streams, and more.
Neutralinojs 6.8 – The lightweight cross-platform app framework gets improved native file drag and drop, and a new default window policy to handle target="_blank" links better.
Juice 12.1 – Automattic's library to inline CSS stylesheets into HTML. A common HTML email production task, as used by MJML and node-email-templates.
Cucumber.js 13.0 – The BDD test framework rebuilds its parallel runtime atop worker threads.
Kanel 4.0 – Generate TypeScript types from a live Postgres database.
Envalid 8.2 – Environment variable validation library.

📰 Classifieds

💘 Dyno Sniper has landed! Judoscale’s latest feature solves the noisy neighbor problem for good.

📬 Debug transactional email without leaving your dashboard. Clerk Email Logs (beta) shows delivery status, bounce reasons, and open/click events.

🕹️ node_modules, Now in 3D!

Wander Around a Heap of Packages in node_modules — An interactive browser experience where you can navigate around a node_modules folder FPS-style. Which, why, how? I don’t know, but when something is by packaging expert Andrew Nesbitt of ecosyste.ms, I check it out.

Andrew Nesbitt