Node Weekly Issue 619: April 9, 2026

#619 — April 9, 2026

Together with

A Post-Mortem of the Axios Compromise — The Axios team has shared a detailed post-mortem of the recent supply chain compromise where a trojan was pulled in as a malicious dependency. The attack was well planned and involved a sophisticated bit of social engineering.

Jason Saayman / axios

⚠️ Axios isn't the only target. Sarah Gooding reports on ongoing attempts to socially engineer 'high-impact Node.js maintainers.' It's worth being aware of these techniques if you maintain any public npm packages.

You Don’t Have To Attend All 44 Postgres Talks — POSETTE: An Event for Postgres 2026 is a free & virtual developer event on 16-18 Jun. All 44 talks stream live & will be available later. Join live to take part in discussions with speakers & attendees. Check out the schedule and mark your calendar.

Microsoft | AMD sponsor

You Can't Cancel a Promise (Except Sometimes You Can) — You can’t cancel a promise, but you can halt an async function by making it await a promise that never resolves. The function silently stops, and GC cleans up after it. It’s not just a trick; Inngest uses it in production to interrupt long-running workflow functions.

Aaron Harper (Inngest)

IN BRIEF:

Google's compilers team has proposed a high-level IR for JavaScript and shared a tool (JSIR) it's already using internally to take advantage of it for analysis and source-to-source transformation.
Microsoft has announced the end of support for Node 20.x in the Azure SDK for JavaScript.
npm trusted publishing now supports CircleCI as an OIDC provider.
🎤 A 50-minute chat (with transcript) from two of the developers behind the npmx project — an increasingly popular way to browse the npm registry.

Node's Security Bug Bounty Program Paused Due to Loss of Funding — Since 2016, the Node.js project has offered bounties for qualifying security vulnerability reports. This was funded by the Internet Bug Bounty program which is on hiatus as it figures out its role in an AI-assisted landscape. Reports can still be made, but with no monetary reward.

The Node.js Project

tsdown Can Now Generate Executable Files for Node Apps — tsdown, the library bundler from VoidZero (Evan You's company), now supports building standalone executables using Node's Single Executable Applications (SEA) feature.

VoidZero

📄 Building a Runtime with QuickJS Andrew Healey

🛠 Code & Tools

web-audio-api: Use the Web Audio API from Node — Get full Web Audio API support in Node and play audio on your machine or render it to file (and, yes, Tone.js works too). There are lots of examples to enjoy. v1.0/1.3 supports all 26 audio node types and has a 100% pass rate against the WPT test suite.

Sébastien Piquemal

🗣️ TinyTTS: English Text-to-Speech with a 3.4MB Model — Fast text-to-speech on the CPU with a tiny 3MB model for both Node.js and Python. Has an AI-generated vibe, but it worked well when I used it like this. There’s a demo on the Web to hear what it sounds like.

tronghieuit

Analytics Doesn't Need Its Own Infrastructure — TimescaleDB extends Postgres so analytics runs on live data. Same connection, no pipeline, no second database. Start for free.

Tiger Data (creators of TimescaleDB) sponsor

Marked.js 18.0: Fast Markdown Parser Library — A low level Markdown compiler built for speed, available as both a client and server-side library. The demo shows off the basics. v18 is a bug fix release that also bumps it up to TypeScript 6. GitHub repo.

Christopher Jeffrey

🤖 grammY: An Up-to-Date Telegram Bot Framework — “Make creating Telegram bots so simple you already know how to do it.” This week’s release supports the latest Telegram Bot API 9.6. GitHub repo.

KnorpelSenf

tokenu: du-Like CLI Tool to Count Token Usage in Files and Directories — Could be useful to see if your codebase can fit entirely into a sensible context window, say.

Liran Tal

ky 2.0 – Sindre Sorhus's popular, elegant HTTP client library that wraps fetch gets a big upgrade including setting a totalTimeout across all retries, and baseURL for standard URL resolution to make your calls even simpler.
npm-check-updates 20.0 – Upgrade package.json dependencies while preserving semantic versioning policies. Now supports cooldowns.
ESLint 10.2 – Adds support for language-aware rules through a new meta.languages property. Temporal is now supported too.
Ink 7.0 – Build CLI/TUI apps using React. Now uses React 19, requires Node 22+, and adds a lot of useful hooks.
content-disposition 1.1 – Work with HTTP Content-Disposition headers.
Orange ORM 5.3 – The Node and TypeScript ORM adds MariaDB support.
Axios 1.15.0 – The popular HTTP client adds Bun and Deno support.
RedisSMQ 10.0 – Simple Redis-backed message queue for Node.
node-ical 0.26.0 – iCalendar/ICS (RFC 5545) parsing library.
Undici 8.0 – HTTP/1.1 client written from scratch for Node.
pnpm v11.0 Beta 8

📰 Classifieds

⚡Route product events to HubSpot, Salesforce, Slack & more in one API call. Retries, fan-out, and delivery guarantees built in.

Ship production AI. Land $200K–$950K. Gauntlet's 10-week no-cost fellowship builds the AI-first engineers hiring managers actually want.

📢 Elsewhere in the ecosystem

Keen to brush up your knowledge of modern JavaScript? Chris Coyier's What To Know in JavaScript (2026 Edition) tours the latest language features, plus the state of the most popular runtimes and build tools.
🤖 A developer discovered an npm package where the postinstall script copied Markdown files into Claude Code's config. While likely not malicious in this case, it's a vector ripe for abuse and worth knowing about. Ignoring postinstall scripts is a wise option, and something pnpm v10+ does by default.
🇷🇴 The popular JSHeroes conference is back this May 14-15 in Romania.
Engineers at the Railway cloud hosting platform shared their story of moving their frontend off Next.js to Vite and TanStack Router.
Puru is a new project offering a channels-inspired 'Go-style concurrency' option in Node and Bun.