Node Weekly Issue 602: November 25, 2025

#602 — November 25, 2025

Together with

How a Summer in Abruzzo Helped Bring Type Stripping to Node.js — Node.js TSC member and committer Marco tells the personal tale of what it took to bring type stripping (now considered stable) to Node. It’s neat to get the back story. He’s now working on a new experimental feature: --experimental-config-file

Marco Ippolito

Tiger Data Taught AI to Write Real Postgres Code. Try it Today. — Tiger Data taught AI how to write idiomatic Postgres and open-sourced it. pg-aiguide brings real DB expertise to Claude Code, or any other MCP-enabled tool.

Tiger Data sponsor

⚠️ Shai Hulud 2.0: The Widespread npm Supply Chain Attack is Back — The big story this week is an evolution of a previous story we’ve covered about a 'worm' that spreads through npm packages. GitLab does a good job of explaining what’s going on: an infected package gets installed then executes a malicious payload which exfiltrates GitHub, npm, and other credentials, then infects and publishes yet more packages.

Abeles and Henriksen (GitLab)

💡 Numerous sources have written about this latest wave of attacks including Wiz, Snyk, Socket, Aikido and HelixGuard. Corridor's Shai Hulud 2.0 Detector can also be used to scan a package.json file for known affected packages.

IN BRIEF:

Node.js v20.19.6 (LTS) has been released. It's a minor LTS release with updates to root certificates and OpenSSL, plus the deprecation of HTTP/2 priority signalling (as is the case in RFC 9113 also).
Node.js 24 is now a supported runtime on AWS Lambda (as nodejs24.x) and won't be deprecated until April 30, 2028.
🎤 TypeScript's Daniel Rosenwasser and Jake Bailey went on the TypeScript.fm podcast to talk about what's coming up in TypeScript 6 and 7.
▶️ A brief look behind the scenes of Node.js's automated release process.

📄 An Experiment in Making TypeScript Immutable-by-Default – “I wondered: is it possible to make TypeScript values immutable by default?” Evan Hahn

📄 A Comprehensive Guide to Error Handling in Node Ayooluwa Isaiah (Honeybadger)

🛠 Code & Tools

Gluegun: A Toolkit for Building Node-Powered CLIs — For building CLI apps with many features available 'out of the box', including templating, sub-command support, colorful output, argument parsing, etc.

Infinite Red, Inc.

tshy 3.1: TypeScript HYbridizer — A tool by Isaac Z. Schlueter for building hybrid modules that Just Work™ in both ESM and CommonJS contexts, if you’re not quite ready to go ESM only.

Isaac Z. Schlueter

BoldSign eSignature API & SDK — Built for Developers, Easy to Integrate — ✍️ Ship secure e-signatures in your app in minutes with the BoldSign SDK & API. Get your free API key and start testing today.

BoldSign sponsor

(*.js) Glob 13: Match Files Using Shell-Style Patterns — “The most correct and second fastest glob implementation in JavaScript.”

Isaac Z. Schlueter

is-online 12.0: Check if the Internet Connection Is Up — Works in both Node and the browser and uses several approaches to check if the Internet is really available.

Sindre Sorhus

open v11.0: Open URLs, Files, Executables, etc. Cross-Platform — Designed for use in command line tools and scripts, open acts similarly to macOS’s terminal namesake: open

Sindre Sorhus

jsonld.js v9.0: A JSON-LD Processor and API Implementation — JSON-LD (JSON for Linking Data) is a JSON-based format used to represent objects on the Web in a way that’s easy for code to read.

Digital Bazaar, Inc.

Prisma 7.0 – Popular ORM for Node.js and TypeScript. The Rust-free Prisma Client is now the default.
Mongoose 9.0 – Popular MongoDB object modeling library.
🖼️ exiftool-vendored.js v33.4 – Fast, cross-platform Node.js access to ExifTool for extracting metadata from photos.
🔎 Node File Trace (NFT) 1.1 – A tool from Vercel for determining exactly which files are necessary for an app to run.
Link Preview JS 4.0 – Extract Web link information from a URL using OpenGraph tags.
node-redis 5.10 – The Redis/Valkey client library adds support for some new commands.
cron-schedule 6.0 – Zero-dependency cron parser and scheduler.
Wasp 0.19 – Wasp is a Rails-like framework built on Node, React & Prisma.
pnpm 10.23 – Fast, space efficient package manager.

📢 Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape:

Photo used with the kind permission of Rob Palmer

Ecma's TC39 committee met up last week (above) and progressed numerous proposals including Iterator Sequencing, Await dictionary of Promises, Joint Iteration, Iterator Join, and Typed Array Find Within.
Google unveiled Angular v21 last week, the latest version of its popular JavaScript framework. I enjoyed the nifty retro gaming themed tour of its new features.
Devographics' annual State of React survey is now open to take again if you're a React developer.
📗 WebAssembly from the Ground Up is a new (paid) book that walks you through building a compiler in JavaScript. There's a sample PDF showing off thirty pages of the content – it looks very promising.
🧟 This news would have been funnier on October 31, but AWS has resurrected CodeCommit from the dead. CodeCommit ~~was~~ is AWS's private Git repo hosting platform and it's generally available again.