Lightnews — Scholar-powered news

Reposted by Richard Lau

Robin Bender Ginn @rginn206.bsky.social · 12h

We’ll be gathering in SF to celebrate Mikeal Rogers . A night he would’ve loved, and a fundraiser to support his family. 💚 Hope you can join. an-event-mikeal-would-have-liked.com

2 8

Reposted by Richard Lau

Joyee Cheung @joyeecheung.bsky.social · 7d

I gave a talk today at @nordicjs.com about shipping Node.js packages in 2025...or how to transition from shipping dual/faux-ESM/CommonJS to shipping ESM directly!

Slides at github.com/joyeecheung/...

github.com

5 11 57

Reposted by Richard Lau

Igalia @igalia.com · 9d

Igalia's @joyeecheung.bsky.social will be speaking about "Shipping Node.js packages in 2025,” focused on migrating dual/faux/CJS packages to ESM-only at Nordic.js on Friday, 3rd October at 10:30 CEST

nordicjs.com/2025/speaker...

Come say hi!

1 4 9

Reposted by Richard Lau

Wes @notwes.bsky.social · 10d

Other than the trusted publishing stuff (which is absolutely not ready for use yet, I will be outlining why in my JS Conf talk) this is a great write up of the recent goings on.

Socket @socket.dev · 10d

GitHub is overhauling npm security after the Shai-Hulud worm. Maintainers welcome the shift to stronger defaults, but are pressing for fixes to CI workflows, enterprise support & token usability.

Details on how community feedback is shaping the rollout:
socket.dev/blog/package...

Package Maintainers Call for Improvements to GitHub’s New np...

Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.

socket.dev

2 4 8

Reposted by Richard Lau

OpenJS Foundation @openjsf.org · 14d

🚀 Node Rockets are blasting off (again) at #JSConf!

We’ve been launching these little rockets for over a decade, and yes, we’ve got the throwback pics to prove it.

Register: events.linuxfoundation.org/jsconf-north...

3 6

Reposted by Richard Lau

Ruy Adorno @ruyadorno.com · 16d

A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...

Node.js Collab Summit, October 17 2025, Chesapeake Bay, MD

4 4

Reposted by Richard Lau

OpenJS Foundation @openjsf.org · 17d

Open source foundations don’t run on “magic piles of money.”

Registries, CDNs, CI pipelines, security response and compliance work all require sustained support. Read why OpenJS joined peers in signing “Open Infrastructure is Not Free.”

🔗 hubs.la/Q03KtFgr0

6 10

Reposted by Richard Lau

OpenJS Foundation @openjsf.org · 17d

Open source maintainers keep our ecosystem alive, but they can’t do it alone.

Support the maintainers that support you.

Read more about why we're endorsing "Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship" alongside industry partners: openjsf.org/blog/magic-p...

Open Source Can’t Rely on Magic Piles of Money | OpenJS Foundation

OpenJS signs joint industry statement on sustainable open infrastructure

openjsf.org

1 3

Reposted by Richard Lau

OpenJS Foundation @openjsf.org · 16d

OpenJS 🤝 Codemod

Node.js migrations just got way easier. We're partnering with Codemod to help developers update apps faster, safer, and with less manual hassle.

🔗 hubs.la/Q03KHF260

Codemod Becomes an OpenJS Foundation Partner to Support Node.js Migrations | OpenJS Foundation

Codemod partners with OpenJS to simplify Node.js migrations

hubs.la

3 6

Richard Lau @rwklau.bsky.social · 16d

Just released @nodejs.org 22.20.0.
nodejs.org/en/blog/rele...

Node.js

Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

nodejs.org

1 7 29

Reposted by Richard Lau

Ulises Gascón @ulisesgascon.com · 18d

Welcome @rafaelgss.dev to the @openjsf.org #CNA team! 👏 👏 👏

github.com/openjs-found...

Nominate @rafaelgss as CNA Coordinator by UlisesGascon · Pull Request #297 · openjs-foundation/security-collab-space

@RafaelGSS has made outstanding contributions to the open source security ecosystem, particularly through his leadership in the Node.js project and related tooling. He brings deep expertise in vuln...

github.com

1 3 5

Reposted by Richard Lau

Socket @socket.dev · 24d

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...

Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...

socket.dev

1 15 30

Reposted by Richard Lau

Darcy Clarke @darcyclarke.me · 24d

ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…

Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re

https://github.com/npm/cli/blob/v…

3 10 43

Reposted by Richard Lau

Socket @socket.dev · 25d

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript

Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers

socket.dev

20 28

Reposted by Richard Lau

Socket @socket.dev · Sep 8

🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week.

Details: socket.dev/blog/npm-aut...

npm Author Qix Compromised in Major Supply Chain Attack - So...

npm author Qix’s account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.

socket.dev

2 25 31

Reposted by Richard Lau

Marco Ippolito @marcoippolito.dev · Sep 3

Node.js v20.19.5 is out 🎉

Changelog: nodejs.org/en/blog/rele...

Node.js

Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

nodejs.org

3 21

Reposted by Richard Lau

Node.js @nodejs.org · Aug 29

Node.js v22.19.0 is out now. ✨

Details: nodejs.org/en/blog/rele...

Node.js

Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

nodejs.org

5 42

Reposted by Richard Lau

Jordan Harband @jordan.har.band · Aug 18

can't believe i only just encountered this article today www.redhat.com/en/blog/dont...

"Don't Lick the Cookie!", for example, don't assign issues in open source :-)

Don't Lick the Cookie!

Dave Neary from Red Hat discusses the term "cookie licking' and how it's an anti-pattern for open source communities.

www.redhat.com

5 1 22

Reposted by Richard Lau

Rafael Gonzaga | Node.js @rafaelgss.dev · Aug 15

Node.js v24.6.0 is out💚

Highlights:

* Use your system’s trusted certificates with NODE_USE_SYSTEM_CA=1
* crypto: ML-DSA (KeyObject/sign/verify)
* http: server.keepAliveTimeoutBuffer
* zlib: Zstd dictionary support
* fs: Utf8Stream (from SonicBoom)

Changelog: nodejs.org/en/blog/rele...

Node.js — Node.js v24.6.0 (Current)

Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

nodejs.org

1 5 24

Reposted by Richard Lau

James Snell @jasnell.me · Aug 3

Got quic in Node.js making progress again now that openssl 3.5 has landed, and finished another chapter in the book. Productive weekend. github.com/nodejs/node/...

quic: continuing work on impl using openssl 3.5 by jasnell · Pull Request #59342 · nodejs/node

More work on the implementation

github.com

3 24

Richard Lau @rwklau.bsky.social · Jul 25

Assuming it's the thing from last century and not something new that reuses the initialism, yes.

1 1

Reposted by Richard Lau

JounQin @1stg.me · Jul 18

cc @eslint.org @prettier-eslint.bsky.social

Attention!!

I was tricked by a phishing email and a npm token was added and leaked then some popular packages I'm maintaining were released with malicious software, I've deleted the leaked token and deprecated all bad versions and released new versions.

6 13 28

Reposted by Richard Lau

Joyee Cheung @joyeecheung.bsky.social · Jul 18

For a mini roadmap of proxy support, there's a tracking issue github.com/nodejs/node/...

Tracking issue: HTTP_PROXY/HTTPS_PROXY/NO_PROXY support in Node.js · Issue #57872 · nodejs/node

Support https/http proxies via HTTP_PROXY/HTTPS_PROXY/NO_PROXY in fetch() (behind NODE_USE_ENV_PROXY) Initial support #57165 align with curl: do not tunnel for http proxy nodejs/undici#4083 align w...

github.com

1 4

Reposted by Richard Lau

Ulises Gascón @ulisesgascon.com · Jul 17

🚩 Keep up to date with @nodejs.org by watching the #Nodejs Security Working Group's last meeting on YouTube!

www.youtube.com/watch?v=_YmV...

2025-07-17 - Security Team meeting

YouTube video by node.js

www.youtube.com

1 2

Reposted by Richard Lau

OpenJS Foundation @openjsf.org · Jul 9

What’s our security team been up to in 2025? Just shipping security patches, launching new tools, and leveling up compliance like pros 💪

In 2025, we've been putting in serious work across our projects to improve security, automate releases, and streamline compliance.

📖 openjsf.org/blog/openjs-...

OpenJS Security Checkpoint: 2025 So Far | OpenJS Foundation

From vulnerability patching to release automation to better governance processes, here’s what’s been happening behind the scenes from January through June.

openjsf.org

3 9