How We're Protecting Our Newsroom from npm Supply Chain Attacks — A software engineer at the Seattle Times explains how the paper has been trialing pnpm as an alternative to npm specifically because of its client-side security controls. This isn’t a formal case study but breaks down the technical details well and could give your own team food for thought.

Ryan Sobol

⚠️  Node.js December 15, 2025 Security Releases — New releases of Node’s v25.x, 24.x, 22.x, and 20.x release lines are expected next Monday, or shortly thereafter, to address five security vulnerabilities (three with ‘high’ severity). We’ll share an update in next Tuesday’s issue.

The Node.js Project

Level Up Redis Visibility in Node.js — See inside Valkey and OSS Redis. Memetria K/V adds key-level visibility, memory analytics, and performance insights built for Node.js developers — so you can detect large keys and optimize latency before users notice.

Memetria sponsor

No More Tokens: Locking Down npm Publishing Workflows — Following the recent spate of high-profile npm security incidents, Zach, author of 11ty, decided to carry out a full audit of his npm security footprint and shares some tips any package publisher can adopt.

Zach Leatherman

Progress on TypeScript 7 — v6.0 is going to be TypeScript’s last JavaScript-based release and will act as a stepping stone to the native Go port that will be the eventual v7.0 which is already shaping up to be some 10x faster.

Daniel Rosenwasser (Microsoft)

How We Made @platformatic/kafka 223% Faster — Platformatic’s Kafka client was created last year as the existing options at the time had various compatibility and performance issues, but Platformatic wanted even more performance.. Here’s how they did the benchmarking and identified, then solved, some bottlenecks.

Paolo Insogna (Platformatic)

ts-exec: Execute TypeScript on Node using SWC — From the creator of Adonis comes another way to run TypeScript on Node. While Node 22.18+ supports type stripping, ts-exec supports JSX and decorators and has some benefits over ts-node and tsx.

Harminder Virk

BoldSign eSignature API & SDK — Built for Developers, Easy to Integrate — ✍️ Ship secure e-signatures in your app in minutes with the BoldSign SDK & API. Get your free API key and start testing today.

BoldSign sponsor

iceberg-js: A JavaScript Client for Apache Iceberg — A minimal, vendor-agnostic JavaScript client for the Apache Iceberg REST Catalog API.

Katerina Skroumpelou (Supabase)

Remend: Automatic Recovery of Broken Streaming Markdown — Bring intelligent incomplete Markdown handling to your app, particularly useful if working with LLMs, say. It’s extracted from Vercel’s Streamdown library, a drop-in replacement for react-markdown, designed for AI-powered streaming.

Hayden Bleasel (Vercel)