Node Weekly Issue 593: September 16, 2025

#593 — September 16, 2025

🗓️ We're taking next week off, so we will be back in your inbox again on Tuesday, September 30.
__
Peter Cooper, your editor

Together with

Node.js v24.8.0 (Current) Released — The big new feature is added support for inspecting HTTP/2 network calls made from Node in Chrome DevTools. There have also been some cryptography related enhancements and npm gets upgraded to v11.6.

Michaël Zasso

pnpm 10.16 Adds Support for Delayed Dependency Updates — The alternative efficient npm package manager has added a way to specify a ‘minimum release age’ for package dependencies, so a setting of ‘1440’ (minutes) will mean only packages released more than one day ago will be installed. This can help avoid malicious versions of packages which are quickly withdrawn.

Zoltan Kochan

Advanced Redis & Valkey Hosting for Node Apps — Memetria K/V helps Node.js developers host Redis OSS and Valkey with key-level visibility, memory tracking, and performance analytics—at any scale.

Memetria sponsor

IN BRIEF:

⚠️ Last week we featured news of a significant npm supply chain attack relating to a variety of popular packages, but yet more are continuing to occur, this time affecting @ctrl/tinycolor among others. The payload in this case is particularly dangerous as it installed a secrets scanner and exfiltrated the tokens found. More technical details here.
Electron 38 has been released and upgrades to Node 22.18 meaning it gets type stripping enabled by default. It also upgrades from Chromium 138 to 140 (admittedly a rather minor update for devs).
📗 Flavio Copes has updated his popular Node.js Handbook, originally released in 2018, in a new 2025 edition. It remains free, though behind an email wall.

Oh No, Not Again: A Meditation on npm Supply Chain Attacks — Noting that “npm has become the largest and easiest way to ship malware”, Tane points a finger at Microsoft, the custodians of the npm registry.

Tane Piper

How To Set-Up Express.js 5 for Production in 2025 — A walkthrough of the basic dev process for the latest version of Express, complete with TypeScript, ESLint, Prettier, file structure, and logging.

Jan Hesters

Automating the Release Process for a Desktop App with GitHub Actions — Dolt Workbench is an SQL workbench packaged as an Electron app and distributed for several platforms. Eric explains how the Dolt team has automated the process and shares the code for their GitHub workflows.

Eric Richardson (DoltHub)

Secure Your Agentic Apps with Auth for GenAI — Secure your agentic apps with features like User Authentication for AI agents, Token Vault, and more with Auth0’s Auth for GenAI (exclusively in Developer Preview).

Auth0 sponsor

📄 How to Keep package.json Under Control – Good tips and tool recommendations here. Tom MacWright

📄 The State of QUIC Support in Node.js – A look at the many year story of bringing native QUIC support to Node and how Node 25 should get the first implementation in place. Pavel Romanov

📄 Using Node's Native Test Runner with TypeScript and React Matthew Brown

📄 Compiling Multiple CSS Files into One – Using either PostCSS or a custom Node.js script with no dependencies. Geoff Graham

🛠 Code & Tools

Feedsmith 2.0: Web Feed Parsing and Generation Library — As well as parsing feeds of various types, you can also create RSS, Atom, JSON Feed, and OPML files with many common namespaces (iTunes, Podcast, Media RSS, Dublin Core, etc.) – here’s a quick start tutorial for using it both in browsers or Node. GitHub repo.

Maciej Lamberski

Trash 10.0: Move Files and Directories to the 'Trash' — Rather than deleting files outright (e.g. unlink), this moves them to the ‘trashcan’ equivalent on Windows, Linux, and macOS.

Sindre Sorhus

openapi-typescript-server: Codegen TypeScript Servers from OpenAPI — CLI and runtime library to help you implement type-safe APIs documented in OpenAPI specs.

Jason Blanchard

Ow 3.0 – Function argument validation for humans (essentially chainable easy-to-read data validations).
🖼️ terminal-image 4.0 – Display images in the terminal. v4 adds support for Kitty's graphics protocol.
npm-publish 4.0 – GitHub Action to publish packages to the npm registry. Now runs on Node 24 with npm 11.
jsdom 27.0 – Pure JS implementation of WHATWG DOM and HTML standards.
LogTape 1.1 – Simple logging library for all major JS runtimes. Changelog.
Undici 7.16 – Node's powerful HTTP client library.
Hexo 8.0 – Popular blog framework/ generator.
node-soap 1.4 – SOAP client and server library.

📰 Classifieds

$100 off yearly Frontend Masters membership! 250+ courses, personalized learning path, workshops with devs from GitHub & Netflix. Sale ends soon →

Go beyond caching. Redis 8.2 handles 5x more data with 150 new commands and 8 new data structures vs 7.2. Try Redis Pro.

📢 Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape:

"Behind the Scenes of bun install" is an epic post by Lydia Hallie of the Bun project covering not only what Bun has done to make its package installation mechanism fast, but also the process and pain points of package installation more generally.
Deno 2.5 has been released. You can now create sets of permissions in deno.json, Deno.test gets some DX improvements, and deno bundle gets a programmatic API so you can script the bundling of your app, along with much more.
A developer satisfies his curiosity by answering which npm package has the largest version number? Some poking around the npm registry's data yields a variety of winners, depending on how you define 'version' and 'largest'.
Someone figured out how to host a web site on a disposable vape.