and by Ireland Matteo means Italy of course 😅

1/ I’m still processing what’s going on in tech at the moment. I used to feel at home in that world. It used to feel incredibly creative and positive. Now it’s increasingly full of bugs, dark addicting patterns and AI slop. 2ality.com

Node.js v22.22.3 is out 🚀🚀 Changelog 👇 nodejs.org/en/blog/rele...

This is awesome!! Check out @vlt.sh for this in the JS ecosystem. www.vlt.io/products/rep...

It’s almost as if we said securing GitHub actions is really difficult and maybe it shouldn’t be at the heart of our security model for publishing.

NodeConf EU is back in Bologna, Italy and it's going to be special 🇮🇹 Great talks, better people, and the kind of hallway track you can't replicate online. Blind tickets? Already gone. CFP open. Regular tickets moving. Join us: www.nodeconf.eu

Node.js 26.1.0 is out, with a new `node:ffi` module, `crypto.randomUUIDv7()`, and many more features and bug fixes. Full changelog and download links at nodejs.org/en/blog/rele...

For those who build or redistribute Node.js - as the V8 implementation of temporal depends on temporal_rs, this also means starting from v26 building Node.js fully requires a Rust toolchain. See github.com/nodejs/node/...

The hidden gem is that @nodejs.org majors and LTS cycles got WAY easier to understand: 2026 -> v26 2027 -> v27 2028 -> v28 ... Aall of them go LTS for 18 months meaning each major is supported for 2 years. The new graphic tells the best story here: nodejs.org/en/blog/anno...

Node.js v26.0.0 is out 💚 Temporal API enabled by default, V8 14.6, Undici 8, and key deprecations as we keep modernizing the platform. Check it out nodejs.org/en/blog/rele...

The 2026 Node.js London Collaboration Summit trip report is officially live! 🚀 We gathered 50+ contributors to discuss the biggest technical shifts coming to the runtime. Big thanks to Bloomberg for hosting! 🇬🇧 Check out the full recap and recordings here: https://bit.ly/3OHPLmz

Broadcasting GPS on the local network https://evertpot.com/broadcasting-gps-on-local-network/

devEngines started as @geoffreybooth.bsky.social and I in DMs 2 years ago. It's now supported in @npmjs.bsky.social & @pnpm.io, and later this month will be our recommended way for developers at Netflix to define runtime and package manager versions in their projects. docs.npmjs.com/cli/v11/conf...

While others race away from Open Source, @vlt.sh is doubling down. 🖤⚡ Today we’re announcing our renewed commitment to @opensourcepledge.com and investing back into the ecosystem. www.vlt.io/blog/doublin...

DMNO (varlock) was one of the fastest growing open-source orgs on GitHub in Q1. Thanks for the recognition @supabase.com >commitvc #osscarindex osscar.dev/org/dmno-dev

pnpm v11.0.0 is released! The "latest" dist-tag still points to v10, so install it via "pnpm self-update latest-11" github.com/orgs/pnpm/di...

Node excitement 😉 Congrats to @targos.dev on landing the V8 14.6 upgrade in upstream Node, heading for Node v26 which will be released very soon 🎉 This is the first version of V8 in Node to support unflagged Temporal 👍 github.com/nodejs/node/...

You can use nvm to kick the tires on `node:ffi`! NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly nvm install 26

Do not unleash your AI-powered bot into people's GitHub repos without asking first. If you do that on any of the repos I maintain, your bot is likely to get banned. (I've already banned a few).

We are happy to announce the NodeConf EU is returning in 2026. This time, things will be a little different. While the Irish countryside made for a beauttiful backdrop for getting the community together to talk about Node.js, there have always been a number of logistical challenges to hosting there;

I'm working on a feature called package maps for Node.js - it's leveraging everything I learned about package resolution these past six years, in a design that's both simple and flexible enough to be backward compatible with existing installs. I'm very excited about this! github.com/nodejs/node/...

My terminal diff tool, hunk, has added a lot of good stuff: - horizontal scrolling w/ mouse support - pinned file headers - way better file browser UI - draggable scrollbar - perf & bug fixes ⬇️ Here's what it looks like today

dark mode on www.npmjs.com ???

📖 This article by @sarahgooding.bsky.social at @socket.dev highlights a concerning trend (ref. socket.dev/blog/attacke...) 📕 Story time: this kind of supply chain targeting isn't unique. I myself & everyone on our team @vlt.sh have been the targets of consistent, concerted efforts.

I've said this before. I'll say it again. The LOC touched in a PR doesn't matter. It's not an indicator of productivity. A one word change can carry more weight, positive or negative, than a 20k LOC change. The only time LOC matters is to the poor soul that has to review it.

Unfortunately, security reports are no longer eligible for bounties due to the IBB program being paused

this is one of my favorite parts of the @vlt.sh CLI. it uses @socket.dev security data to prevent known malware from running lifecycle scripts like postinstall! and it’s powered by queries under the hood so you could make it as granular as you wanted (but we ship with safe defaults)

I heard you like fast package managers? What about fast registries? It's been a roller coaster of a month but our team has made some serious headway w/ even more improvements in the works. Gotta keep the registry fast so y'all can nab the next Claude Code leak.

🧨 Axios only needed to be resolved somewhere in your dependency graph to affect you. Semver + transitive deps + runtime installs = hidden blast radius. If you only checked your project’s lockfile, you may still not know. socket.dev/blog/hidden-... #nodejs #javascript

tldr; if you used @vlt.sh as your package manager, then you were protected the minute @socket.dev flagged the malicious packages in the `axios` attack yesterday. The best time to switch your package manager was 48hrs ago, the next best time is right now. More below: blog.vlt.sh/blog/vlt-build

Node.js 25.9.0 (Current) is out 💚 https://nodejs.org/en/blog/release/v25.9.0

I just blogged: "Burrow, a new Gopher client in the browser" https://evertpot.com/burrow-gopher-client/

Along with the blog post there's a recording of the interview. Listen to the full interview OR the last 10 minutes (linked). www.youtube.com/watch?v=ZbWx...

This work is so important that I reinstalled Bluesky to support it. Shoutout James and the rest of e18e for their thankless work making the web a better place

This must've been one of the most challenging things I've worked on in a while. Thanks Bloomberg for sponsoring my work on this, and everyone who helped shipping a fix in time!

⚠️ Security releases are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines. Please see the blog post for additional details: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

✂️ Knip v6 is out It's finally here, and your favorite slop fighter is already speedier than expected! Can't wait to see y'all tidying up bigger codebases, faster 🚀 Blogpost + release notes: knip.dev/blog/knip-v6 Knip: knip.dev

Last week we were able to present @robpalmer.bsky.social with his physical Ecma Recognition Award! 🎉 This was followed by an extensive round of tributes and praise, which Rob endured somewhat uncomfortably, at every opportunity urging us to cease and attend to the waiting celebratory Temporal cake.

Today is my last day with the Deno team 🦕💖💔 I know they're gonna keep making awesome things. But now *I* need to make awesome things for someone else! If you're looking for a DevRel with a JS focus and extra sparkle, get in touch!

This must’ve been the biggest (in size) PR I’ve ever reviewed 😬 thanks for bearing with my insistence in hooking into the module loader & intercepting in fs internals, hopefully this would make a class of monkey patching in the wild obsolete and we will have a much more robust public API for this!

.@nodejs has always been about I/O. Streams, buffers, sockets, files. But there's a gap that has bugged me for years: you can't virtualize the filesystem. You can't import a module that only exists in memory. You can't bundle assets into a Single Executable without patching half of core. 👇

We appreciate the post and the feedback @jesse.id ! Those getting started docs are due for an update :) jesse.id/blog/posts/u...

ECMAScript Euphoria! 🎉 We don't always post when a single proposal advances, but when we do, it's Temporal -> Stage 4. Just days shy of 9 years from Stage 1, a herculean effort on the part of many champions, delegates, invited experts, and contributors, past and present. Thank you all! 🙌

Node.js is moving to one major release per year starting with Node 27! 🚀 ✅ Simpler: Every release becomes LTS. ✅ Predictable: Version numbers now align with the year. ✅ New: A 6-month Alpha channel for early testing. https://bit.ly/4rnosLg

Using AI to write code has made me realize there are two types of code I've traditionally written: 1. Code that I want to know how it works 2. Code that I want to exist but don't care how it works I delegated 100% of the second category to AI now. Maybe 50% of the first.

I'm using Varlock on everything now. www.youtube.com/watch?v=M5Ik...

Yesterday we saw the most _new_ NPM packages being released in the last 12 months, at 2804 packages. Pretty steady upward trajectory here, unlike we've ever seen. This graph is spiky because it's daily data and weekends are lower.

Node.js v22.22.1 is out 🔥 Release notes 👇 nodejs.org/en/blog/rele...

Node.js v20.20.1 is out 🎉 This is the last planned release before v20 goes End-of-Life ❗ Release notes 👇 nodejs.org/en/blog/rele...

Announcing the @nodejs.org LTS Upgrade and Modernization Program! 🚀 We're helping enterprises move safely off end-of-life Node.js versions to reduce security risks with our partnerNodeSource. Modern Node.js is safer Node.js. Details: openjsf.org/blog/nodejs-...