#​587 — July 22, 2025

Read on the Web

Together with  Fusion Auth
Node.js Weekly

Laravel and Node.js: PHP in Watt Runtime — In June we featured php-node, a new way to ‘bridge the gap’ between PHP and Node.js by being able to embed PHP into Node apps. Now they’ve gone a step further by using php-node and the Watt app server to enable the running of Laravel apps too. A curious meeting of ecosystems!

Stephen Belanger (Platformatic)

The Node.js July 15 Security Releases — Mentioned in passing last week, but landing hours after we sent the newsletter came the releases of Node.js v24.4.1 (Current), v22.17.1 (LTS) and v20.19.4 to resolve some security vulnerabilities (a path traversal issue on Windows, and an issue related to hashing in V8).

The Node.js Project

Skip Building Auth from Scratch in Your Node.js App — FusionAuth integrates with Express, Fastify, and Node.js backends. Add enterprise-grade auth in minutes, not months. Download locally, test in CI/CD pipelines. API-first design lets you focus on your app logic. Start Building for free.

FusionAuth sponsor

IN BRIEF:

How to Create an NPM Package in 2025 — One of JavaScript’s most essential tasks, but one with numerous steps involved if you want to follow best practices, integrate useful tools, and get things just right. Matt Pocock rounds up the overall process and, notably, drops CommonJS in this 2025 update.

Matt Pocock

Endor: Add Services (Like Postgres) as Node Dependencies — A curious new effort to make it possible to spin up quick, sandboxed environments and servers, covering things like Postgres, MariaDB and Valkey, with a simple npm install and endor run.

Angel M Miguel (Endor)

📄 We Migrated Our Site to Eleventy and Increased Performance by 24%Eleventy (11ty) is a popular Node-based static site generator. Dan Webb

📄 Build Your Own Font Search Engine – Using vision language models to index and search the fonts. Lúí Smyth

📄 A Full Code Agent in 200 Lines – Here’s How Clément Thiriet

🛠 Code & Tools

npq: Safely Install Packages by Auditing Them Pre-Installnpq performs several extra steps compared to npm. It consults Snyk’s database of vulnerabilities, looks at the package’s age, download count, and docs, and tries to paint a better picture of what you’re really installing.

Liran Tal

Announcing NAPI-RS v3: The Way to Build Node Addons in RustNAPI-RS is a framework for building compiled Node.js add-ons in Rust via Node-API. v3 adds support for targeting WebAssembly, which opens up some interesting possibilities shown in the post, along with numerous DX improvements including easier cross compilation.

NAPI-RS Team

Product for Engineers Newsletter — Build better products, not just better code. Learn how to build features users love. Subscribe for free.

PostHog sponsor

YouTube.js 15.0: A Very Unofficial YouTube API Client — ‘InnerTube’ is an API used by YouTube’s clients, and you can use it too, although YouTube might not be a fan of that.. Nonetheless, it runs on Node.js, Deno, and modern browsers, and v15.0 drops CommonJS support.

LuanRT

stripe-sync-engine: A Stripe-To-Postgres Sync Engine as a Standalone Library
Kevin Grüneberg (Supabase)

📢  Elsewhere in the ecosystem

A roundup of some other interesting stories in the broader landscape, in case you've missed them: