Unfortunately, security reports are no longer eligible for bounties due to the IBB program being paused

this is one of my favorite parts of the @vlt.sh CLI. it uses @socket.dev security data to prevent known malware from running lifecycle scripts like postinstall! and it’s powered by queries under the hood so you could make it as granular as you wanted (but we ship with safe defaults)

I heard you like fast package managers? What about fast registries? It's been a roller coaster of a month but our team has made some serious headway w/ even more improvements in the works. Gotta keep the registry fast so y'all can nab the next Claude Code leak.

🧨 Axios only needed to be resolved somewhere in your dependency graph to affect you. Semver + transitive deps + runtime installs = hidden blast radius. If you only checked your project’s lockfile, you may still not know. socket.dev/blog/hidden-... #nodejs #javascript

tldr; if you used @vlt.sh as your package manager, then you were protected the minute @socket.dev flagged the malicious packages in the `axios` attack yesterday. The best time to switch your package manager was 48hrs ago, the next best time is right now. More below: blog.vlt.sh/blog/vlt-build

Node.js 25.9.0 (Current) is out 💚 https://nodejs.org/en/blog/release/v25.9.0

I just blogged: "Burrow, a new Gopher client in the browser" https://evertpot.com/burrow-gopher-client/

Along with the blog post there's a recording of the interview. Listen to the full interview OR the last 10 minutes (linked). www.youtube.com/watch?v=ZbWx...

This work is so important that I reinstalled Bluesky to support it. Shoutout James and the rest of e18e for their thankless work making the web a better place

This must've been one of the most challenging things I've worked on in a while. Thanks Bloomberg for sponsoring my work on this, and everyone who helped shipping a fix in time!

⚠️ Security releases are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines. Please see the blog post for additional details: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

✂️ Knip v6 is out It's finally here, and your favorite slop fighter is already speedier than expected! Can't wait to see y'all tidying up bigger codebases, faster 🚀 Blogpost + release notes: knip.dev/blog/knip-v6 Knip: knip.dev

Last week we were able to present @robpalmer.bsky.social with his physical Ecma Recognition Award! 🎉 This was followed by an extensive round of tributes and praise, which Rob endured somewhat uncomfortably, at every opportunity urging us to cease and attend to the waiting celebratory Temporal cake.

Today is my last day with the Deno team 🦕💖💔 I know they're gonna keep making awesome things. But now *I* need to make awesome things for someone else! If you're looking for a DevRel with a JS focus and extra sparkle, get in touch!

This must’ve been the biggest (in size) PR I’ve ever reviewed 😬 thanks for bearing with my insistence in hooking into the module loader & intercepting in fs internals, hopefully this would make a class of monkey patching in the wild obsolete and we will have a much more robust public API for this!

.@nodejs has always been about I/O. Streams, buffers, sockets, files. But there's a gap that has bugged me for years: you can't virtualize the filesystem. You can't import a module that only exists in memory. You can't bundle assets into a Single Executable without patching half of core. 👇

We appreciate the post and the feedback @jesse.id ! Those getting started docs are due for an update :) jesse.id/blog/posts/u...

ECMAScript Euphoria! 🎉 We don't always post when a single proposal advances, but when we do, it's Temporal -> Stage 4. Just days shy of 9 years from Stage 1, a herculean effort on the part of many champions, delegates, invited experts, and contributors, past and present. Thank you all! 🙌

Node.js is moving to one major release per year starting with Node 27! 🚀 ✅ Simpler: Every release becomes LTS. ✅ Predictable: Version numbers now align with the year. ✅ New: A 6-month Alpha channel for early testing. https://bit.ly/4rnosLg

Using AI to write code has made me realize there are two types of code I've traditionally written: 1. Code that I want to know how it works 2. Code that I want to exist but don't care how it works I delegated 100% of the second category to AI now. Maybe 50% of the first.

I'm using Varlock on everything now. www.youtube.com/watch?v=M5Ik...

Yesterday we saw the most _new_ NPM packages being released in the last 12 months, at 2804 packages. Pretty steady upward trajectory here, unlike we've ever seen. This graph is spiky because it's daily data and weekends are lower.

Node.js v22.22.1 is out 🔥 Release notes 👇 nodejs.org/en/blog/rele...

Node.js v20.20.1 is out 🎉 This is the last planned release before v20 goes End-of-Life ❗ Release notes 👇 nodejs.org/en/blog/rele...

Announcing the @nodejs.org LTS Upgrade and Modernization Program! 🚀 We're helping enterprises move safely off end-of-life Node.js versions to reduce security risks with our partnerNodeSource. Modern Node.js is safer Node.js. Details: openjsf.org/blog/nodejs-...

Coding was never the slow part. That's why we built Modem, your dev team's auto-triage PM. It listens to user signals 24/7, finds problems before you do & does the in-between work – filing tickets, pinging teammates, closing the loop. And it's not vaporware! You can try it out today at modem.dev

New @nodejs.org 25.8.0 release is out: nodejs.org/en/blog/rele...

npmx is now in alpha: this is our story, as told by our team and friends

After implementing web streams in multiple runtimes, supporting them for years, talking with other implementers, dealing with issues... I think it's well past time we talked about something better blog.cloudflare.com/a-better-web...

Node.js release day! @ruyadorno.com and I just released Node.js 24.14.0 and 25.7.0, full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...

One of the unfortunate side effects of company-backed open source projects is that people seem to expect all popular projects to be staffed full-time and just as responsive. Many maintainers work in their spare time on projects so this is an unfair expectation.

Having fun making this component feel good to use.

🎉 We’re thrilled to welcome @socket.dev as our newest Silver member. Socket is doing critical work to secure the JavaScript ecosystem by helping developers identify and prevent supply chain risks. We're excited to collaborate and make open source safer for everyone! 🛡️💻 openjsf.org/blog/socket-...

Landed initial support for ESM in Node.js SEA: github.com/nodejs/node/... Similar to CJS entrypoints, it only supports importing builtins, so generally require bundling. @nodeland.dev is working on support for VFS in SEA that will unlock loading other modules within SEA github.com/nodejs/node/...

A few years ago I embarked on a quest to write a small blog post for each #HTTP status each week. Didn't immediately realize that meant this project would take over a year, but still pretty happy with the result! evertpot.com/http/ [https://evertpot.com/http/]

MEDALHA DE OURO BRASIIIIIIIIILLLLLLLLL Lucas Pinheiro Braathen becomes the first South American ever to win a medal in any Winter Olympic event!!!!!

🤖 An AI agent created a GitHub account 2 weeks ago. It’s already landed PRs in major #OSS projects and is cold-emailing maintainers to offer its services. Maintainers don’t seem to know it’s an agent and the code is getting merged. We’re in new territory! 🤠 socket.dev/blog/ai-agen...

> writing javascript code > ask Brendan Eich if the array is a vector or a hashmap > he doesn't understand > pull out diagram explaining O(1) vs O(n log n) access time > he laughs and says "it's a good data structure sir" > allocate an array > arr[0] and arr["0"] both resolve to the same bucket

✨ Keep up to date with @nodejs.org by watching the #Nodejs #Release Working Group's last meeting on YouTube! www.youtube.com/watch?v=ulMh...

Node.js patch release day! Full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...

🔥 NEW BANTER: "Scaling Node.js with the Right Signals: ELU" CPU utilization is lying to you. Your auto-scaler adds pods while your actual bottleneck gets worse. Luca and I explain why ELU is the metric you should be watching. 📅 Feb 4th

Evert demoed us how to get some registry stats today 🔥 I think I'll soon start publishing random stats like @seldo.com used to do back in the day for our collective amusement

The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh

Follow up from @vlt.sh regarding my appearance on the Changelog. A new registry is in the works.

Like everyone else, I had to build something over the end-of-year break. Mine was GitHuman: a tool to review AI-generated code before you commit. It was built entirely by Claude Code. I reviewed every commit from my phone.

That and more in v25.5.0, now out! Full changelog and download links in nodejs.org/en/blog/rele...

New blog post on the journey of the new --build-sea flag and how SEA injection works joyeecheung.github.io/blog/2026/01...

This just landed! Thanks @addaleax.bsky.social and @legendecas.bsky.social for the reviews! It will be out in the next semver-minor release of 25, and likely backportable to older LTS - the new workflow is a compatible improvement to the existing postject-based SEA building workflows from v18.x.

We have increased the barrier to submit reports through HackerOne due to the amount of low-quality submissions we have received recently. Please, see: nodejs.org/en/blog/anno...

Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience. @darcyclarke.me @ruyadorno.com bit.ly/3YNGniF