Node Weekly Issue 606: January 8, 2026

#606 — January 8, 2026

🎉 Happy New Year! Also, a quick reminder that Node Weekly is now sent every Thursday as part of a reshuffle for many of our newsletters.
__
Your editor, Peter Cooper

Together with

npm to Implement 'Staged Publishing' After Turbulent Shift Off Classic Tokens — 2025 was a tricky year for the npm ecosystem with phishing attacks, Shai Hulud, and changes to npm’s token system. For 2026, GitHub has announced even more changes for publishing npm packages with a new ‘staged publishing’ model that will introduce a review period before packages go live.

Sarah Gooding (Socket)

Finally: A Database AI Agents Can Actually Use — Let your AI agents work directly with PostgreSQL, safely. Instant database forks for testing, native vector search for RAG, built-in guardrails for production. Agentic Postgres handles the complexity so your agents can focus on solving problems.

Tiger Data (creators of TimescaleDB) sponsor

require(esm) in Node: From Experiment to Stability — Joyee Cheung is a long-standing core Node.js contributor and largely responsible for Node’s support for require(esm) (i.e. the ability to load ES modules using require). In this new two-part series, she explains what it took to make require(esm) happen and the details of its implementation.

Joyee Cheung

📺 Joyee also covered some of the above in her fantastic talk, Shipping Node.js packages in 2025, given at Nordic.js.

IN BRIEF:

Reddit's /r/node discussed why Node.js isn't considered "enterprise" compared to, say, C# or Java.
pnpm's lead maintainer, Zoltan Kochan, presents a look back at how 2025 was a transformative year for the project.

Fixing TypeScript Performance Problems: A Case Study — A big monorepo-based TypeScript project was suffering sluggish IntelliSense, long type-checking times, and slow builds, but Solomon’s team found some ways to significantly improve things.

Solomon Hawk

📄 How to Automatically Load .env Files in Node Scripts – It’s a stable built-in feature, since Node 24. Stefan Judis

📄 Benchmarking Express 4 vs Express 5 – As always with benchmarks, be sure to run your own tests before coming to a conclusion. RepoFlow

📄 How Pre-Tenuring Works in V8 Andy Wingo

📄 How to Compile JavaScript to C with Static Hermes Devon Govett

📄 Implementing Streaming JSON in 200 Lines of JavaScript Krasimir Tsonev

🛠 Code & Tools

npmgraph: A Tool to Visualize npm Module Dependencies — Give this Web-based tool one or more npm package names (or a package.json file) to see a visualization of the dependency graph for packages, including where they intersect. Packages can be colored by various criteria (like number of maintainers) and you can download an SVG of the resulting graphs.

Kieffer, Brigante, et al.

Fabric.js 7: A JavaScript HTML5 Canvas Library — Suitable for both browsers and Node (thanks to node-canvas), Fabric provides an object model on top of canvas elements, as well as SVG-to-canvas and canvas-to-SVG features. There are also lots of demos, complete with code, to enjoy.

Bogazzi, Nen, et al.

Stop Credential Stuffing Attacks — Clerk's Free Client Trust Feature — Automatic 2FA on untrusted devices when valid passwords are used. No config needed. Free for all Clerk plans.

Clerk sponsor

pnpm 10.27 – The alternative, efficient (and increasingly security-focused) package manager gets some tweaks, including a setting to ignore trust policy checks for packages published more than a specified time ago.
🔎 file-type 21.2 – Detect file type from a Buffer, Uint8Array, or ArrayBuffer. v21.2 adds support for Mach-O Universal binaries.
Fast HTML Parser 7.0.2 – High performance HTML parser that generates a simplified DOM, with basic element query support.
Middy 7.0 – Node.js middleware engine for AWS Lambda. Now supports Durable Functions.
Node File Trace 1.2 – A tool that determines exactly which files are necessary for an app to run.
Orange ORM 4.8 – Object Relational Mapper (ORM) for Node, Bun and Deno.
Repomix 1.11 – Pack an entire repository into a single, LLM-friendly file.
hot-shots 12.0 & 12.1 – Node.js client for statsd, DogStatsD, and Telegraf.

📢 Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape:

MicroQuickJS is a new JavaScript engine from Fabrice Bellard, the creator of QuickJS, focused on embedded systems and that can run with as little as 10KB of RAM.
Ultimate Linux is a curious experiment to build a minimal userspace for Linux entirely in JavaScript (and powered by the aforementioned QuickJS).
Addy Osmani shares 21 valuable lessons from spending 14 years at Google. Solid advice for remaining a competent and engaged engineer over time.
The results of the State of HTML 2025 survey are now available.
TIL you can get your GitHub profile pic by adding .png to your GitHub profile page's URL, i.e. github․com/USERNAMEHERE.png - you can also append .keys to get public keys and .atom to get a feed of public timeline activity.