Node Weekly Issue 587: July 22, 2025

#587 — July 22, 2025

Together with

Laravel and Node.js: PHP in Watt Runtime — In June we featured php-node, a new way to ‘bridge the gap’ between PHP and Node.js by being able to embed PHP into Node apps. Now they’ve gone a step further by using php-node and the Watt app server to enable the running of Laravel apps too. A curious meeting of ecosystems!

Stephen Belanger (Platformatic)

The Node.js July 15 Security Releases — Mentioned in passing last week, but landing hours after we sent the newsletter came the releases of Node.js v24.4.1 (Current), v22.17.1 (LTS) and v20.19.4 to resolve some security vulnerabilities (a path traversal issue on Windows, and an issue related to hashing in V8).

The Node.js Project

Skip Building Auth from Scratch in Your Node.js App — FusionAuth integrates with Express, Fastify, and Node.js backends. Add enterprise-grade auth in minutes, not months. Download locally, test in CI/CD pipelines. API-first design lets you focus on your app logic. Start Building for free.

FusionAuth sponsor

IN BRIEF:

The eslint-config-prettier package was recently compromised and we get a pretty thorough analysis of how it worked and how it happened.
Node's http and https built-ins are gaining support for proxies, enabled by way of an environment variable.
Bun v1.2.19 has been released with a new option to use a pnpm-style isolated, symlinked node_modules with bun install, an interactive package updater, a VS Code Test Explorer integration, a faster integrated Postgres client, and more.
The next version of pnpm will let you lock your Node.js version in the lockfile, like with any other dependency.

How to Create an NPM Package in 2025 — One of JavaScript’s most essential tasks, but one with numerous steps involved if you want to follow best practices, integrate useful tools, and get things just right. Matt Pocock rounds up the overall process and, notably, drops CommonJS in this 2025 update.

Matt Pocock

Endor: Add Services (Like Postgres) as Node Dependencies — A curious new effort to make it possible to spin up quick, sandboxed environments and servers, covering things like Postgres, MariaDB and Valkey, with a simple npm install and endor run.

Angel M Miguel (Endor)

📄 We Migrated Our Site to Eleventy and Increased Performance by 24% – Eleventy (11ty) is a popular Node-based static site generator. Dan Webb

📄 Build Your Own Font Search Engine – Using vision language models to index and search the fonts. Lúí Smyth

📄 A Full Code Agent in 200 Lines – Here’s How Clément Thiriet

🛠 Code & Tools

npq: Safely Install Packages by Auditing Them Pre-Install — npq performs several extra steps compared to npm. It consults Snyk’s database of vulnerabilities, looks at the package’s age, download count, and docs, and tries to paint a better picture of what you’re really installing.

Liran Tal

Announcing NAPI-RS v3: The Way to Build Node Addons in Rust — NAPI-RS is a framework for building compiled Node.js add-ons in Rust via Node-API. v3 adds support for targeting WebAssembly, which opens up some interesting possibilities shown in the post, along with numerous DX improvements including easier cross compilation.

NAPI-RS Team

Product for Engineers Newsletter — Build better products, not just better code. Learn how to build features users love. Subscribe for free.

PostHog sponsor

YouTube.js 15.0: A Very Unofficial YouTube API Client — ‘InnerTube’ is an API used by YouTube’s clients, and you can use it too, although YouTube might not be a fan of that.. Nonetheless, it runs on Node.js, Deno, and modern browsers, and v15.0 drops CommonJS support.

LuanRT

stripe-sync-engine: A Stripe-To-Postgres Sync Engine as a Standalone Library
Kevin Grüneberg (Supabase)

NeutralinoJS 6.2 – Lightweight cross-platform desktop app framework.
node-oidc-provider 9.4 – OpenID Certified™ OAuth 2.0 Authorization Server implementation, now with experimental Attestation-Based Client Authentication support.
Corepack 0.34 – Node's zero-runtime-dependency bridge between projects and package managers. v0.34 drops Node 18 and 23 support.
ESLint Markdown Language Plugin 7.0 – Lint Markdown with ESLint, as well JS, JSX, TypeScript, and more inside Markdown.
Multer 2.0.2 – Node middleware for handling multipart/form-data. Fixes a security vulnerability.
on-headers 1.1 – Execute a listener when a response is about to write headers.
express-rate-limit 8.0 – Basic rate limiting for Express apps.
Jasmine 5.9 – Testing framework for browsers & Node.
node-oracledb 6.9 – Oracle Database driver for Node.
Undici 7.12 – Node's powerful HTTP client library.
node-soap 1.2 – SOAP client and server library.

📢 Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape, in case you've missed them:

In an article for ACM Queue, JS and WASM engine expert Andy Wingo presented a round up of the state of WebAssembly, both in browser and server-side use cases.
The Deno team has ▶️ shared an eight minute video digging into some of the 'untold story of JavaScript' based around its recently popular A Brief History of JavaScript timeline.
🔎 git-quick-stats.sh is a shell-based way to get a lot of statistics about your current Git repo.
Phishers are now targeting npm package developers – be alert to this.