Richard Lau
@rwklau.bsky.social
Software Engineer at IBM.
Node.js Build Infrastructure, Releaser & Technical Steering Committee.
Node.js Build Infrastructure, Releaser & Technical Steering Committee.
Reposted by Richard Lau
🚨 Node.js assessment of the recent OpenSSL Security Release
TL;DR: We'll update OpenSSL versions through a regular release process.
nodejs.org/en/blog/vuln...
TL;DR: We'll update OpenSSL versions through a regular release process.
nodejs.org/en/blog/vuln...
Node.js — OpenSSL Security Advisory Assessment, January 2026
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
January 29, 2026 at 12:53 PM
🚨 Node.js assessment of the recent OpenSSL Security Release
TL;DR: We'll update OpenSSL versions through a regular release process.
nodejs.org/en/blog/vuln...
TL;DR: We'll update OpenSSL versions through a regular release process.
nodejs.org/en/blog/vuln...
Reposted by Richard Lau
I love how the answer to the title of this article is "they don't"
"Why Costco Still Relies On IBM Computers From The '80s"
www.bgr.com/2079471/why-...
The new Power 11 servers are so shiny ✨ I was able to meet my first one at IBM TechXchange 2025 back in October.
(I work on IBM Z, not Power)
"Why Costco Still Relies On IBM Computers From The '80s"
www.bgr.com/2079471/why-...
The new Power 11 servers are so shiny ✨ I was able to meet my first one at IBM TechXchange 2025 back in October.
(I work on IBM Z, not Power)
Why Costco Still Relies On IBM Computers From The '80s - BGR
Costco still uses old IBM computers. This is because these systems are more secure, backwards compatible, and reliable, making them less of a hassle.
www.bgr.com
January 27, 2026 at 11:24 PM
I love how the answer to the title of this article is "they don't"
"Why Costco Still Relies On IBM Computers From The '80s"
www.bgr.com/2079471/why-...
The new Power 11 servers are so shiny ✨ I was able to meet my first one at IBM TechXchange 2025 back in October.
(I work on IBM Z, not Power)
"Why Costco Still Relies On IBM Computers From The '80s"
www.bgr.com/2079471/why-...
The new Power 11 servers are so shiny ✨ I was able to meet my first one at IBM TechXchange 2025 back in October.
(I work on IBM Z, not Power)
Reposted by Richard Lau
⚠️ The Node.js Project now requires a HackerOne Signal score of 1.0 or higher to submit vulnerability reports. This will help our team streamline reports and support effective security reviews.
nodejs.org/en/blog/anno...
nodejs.org/en/blog/anno...
Node.js — New HackerOne Signal Requirement for Vulnerability Reports
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
January 22, 2026 at 3:52 PM
⚠️ The Node.js Project now requires a HackerOne Signal score of 1.0 or higher to submit vulnerability reports. This will help our team streamline reports and support effective security reviews.
nodejs.org/en/blog/anno...
nodejs.org/en/blog/anno...
Reposted by Richard Lau
How did we do at the end of 2025 as far as testing our current collection of open source software packages for Linux on #IBMZ and #LinuxONE?
It was a strong finish! The team worked on over two dozen packages, including cAdvisor, PostgreSQL, and SPIRE.
Full report: community.ibm.com/community/us...
It was a strong finish! The team worked on over two dozen packages, including cAdvisor, PostgreSQL, and SPIRE.
Full report: community.ibm.com/community/us...
Linux on IBM Z and LinuxONE Open Source Software Report: December 2025
community.ibm.com
January 21, 2026 at 9:32 PM
How did we do at the end of 2025 as far as testing our current collection of open source software packages for Linux on #IBMZ and #LinuxONE?
It was a strong finish! The team worked on over two dozen packages, including cAdvisor, PostgreSQL, and SPIRE.
Full report: community.ibm.com/community/us...
It was a strong finish! The team worked on over two dozen packages, including cAdvisor, PostgreSQL, and SPIRE.
Full report: community.ibm.com/community/us...
Reposted by Richard Lau
State of WebAssembly (Wasm) - recap events of 2025 and preview what 2026 can bring.
platform.uno/blog/the-sta...
platform.uno/blog/the-sta...
The State of WebAssembly – 2025 and 2026
A comprehensive look at WebAssembly in 2025 and 2026, covering browser support, Safari updates, WebAssembly 3.0, WASI, .NET, Kotlin, debugging improvements, and growing adoption across edge computing ...
platform.uno
January 20, 2026 at 9:54 PM
State of WebAssembly (Wasm) - recap events of 2025 and preview what 2026 can bring.
platform.uno/blog/the-sta...
platform.uno/blog/the-sta...
Reposted by Richard Lau
This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:
Node.js v25.4.0 is out! 💚
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
nodejs.org
January 19, 2026 at 6:42 PM
This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:
Reposted by Richard Lau
Node.js v25.4.0 is out! 💚
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
nodejs.org
January 19, 2026 at 6:01 PM
Node.js v25.4.0 is out! 💚
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
Reposted by Richard Lau
Today the Temporal proposal has entered the stable stream shipping Chrome 144. This opens the gates for attaining Stage 4 at TC39.
That means tonight I will be purchasing a supply of champagne in preparation.
It’s been a long journey and so very worthwhile!
That means tonight I will be purchasing a supply of champagne in preparation.
It’s been a long journey and so very worthwhile!
January 13, 2026 at 4:31 PM
Today the Temporal proposal has entered the stable stream shipping Chrome 144. This opens the gates for attaining Stage 4 at TC39.
That means tonight I will be purchasing a supply of champagne in preparation.
It’s been a long journey and so very worthwhile!
That means tonight I will be purchasing a supply of champagne in preparation.
It’s been a long journey and so very worthwhile!
Reposted by Richard Lau
Today, we published a security release for @nodejs.org that fixes a critical bug affecting virtually every production Node.js app.
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
January 13, 2026 at 6:50 PM
Today, we published a security release for @nodejs.org that fixes a critical bug affecting virtually every production Node.js app.
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
Reposted by Richard Lau
We appreciate your patience and understanding as we work to deliver a secure and reliable release.
Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:
- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue
nodejs.org/en/blog/vuln...
Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:
- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue
nodejs.org/en/blog/vuln...
Node.js — Tuesday, January 13, 2026 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
January 13, 2026 at 2:42 PM
We appreciate your patience and understanding as we work to deliver a secure and reliable release.
Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:
- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue
nodejs.org/en/blog/vuln...
Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:
- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue
nodejs.org/en/blog/vuln...
Reposted by Richard Lau
🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
Node.js — Thursday, January 8, 2026 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
January 8, 2026 at 9:50 PM
🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
Reposted by Richard Lau
The Node.js package configuration guide is now live! 🎉
Whether you're creating your first package or migrating to ESM, this guide walks you through it with examples.
https://nodejs.github.io/package-examples
Whether you're creating your first package or migrating to ESM, this guide walks you through it with examples.
https://nodejs.github.io/package-examples
nodejs.github.io
January 8, 2026 at 9:02 PM
The Node.js package configuration guide is now live! 🎉
Whether you're creating your first package or migrating to ESM, this guide walks you through it with examples.
https://nodejs.github.io/package-examples
Whether you're creating your first package or migrating to ESM, this guide walks you through it with examples.
https://nodejs.github.io/package-examples
Reposted by Richard Lau
npm is planning to implement staged publishing, adding a review step before packages go live.
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
npm to Implement Staged Publishing After Turbulent Shift Off...
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...
socket.dev
January 7, 2026 at 5:25 PM
npm is planning to implement staged publishing, adding a review step before packages go live.
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
Reposted by Richard Lau
When the reproducibility of a serialized object breaks and
1. It doesn’t show up in debug builds
2. There is no obvious pattern in how the bits change
Then that might be an uninitialised padding
(Spent a couple of hours trying to fix this again…after I forgot how I fixed something similar before)
1. It doesn’t show up in debug builds
2. There is no obvious pattern in how the bits change
Then that might be an uninitialised padding
(Spent a couple of hours trying to fix this again…after I forgot how I fixed something similar before)
December 17, 2025 at 11:56 PM
When the reproducibility of a serialized object breaks and
1. It doesn’t show up in debug builds
2. There is no obvious pattern in how the bits change
Then that might be an uninitialised padding
(Spent a couple of hours trying to fix this again…after I forgot how I fixed something similar before)
1. It doesn’t show up in debug builds
2. There is no obvious pattern in how the bits change
Then that might be an uninitialised padding
(Spent a couple of hours trying to fix this again…after I forgot how I fixed something similar before)
Reposted by Richard Lau
Here we are, the last report of the year from the #Linux on #IBMZ and #LinuxONE porting team and beyond 🚀
The list for November has nearly three dozen projects tested, including Apache Cassandra, fluentd, and neo4j + GnuCOBOL on our GitHub Actions for s390x 🧑💻
community.ibm.com/community/us...
The list for November has nearly three dozen projects tested, including Apache Cassandra, fluentd, and neo4j + GnuCOBOL on our GitHub Actions for s390x 🧑💻
community.ibm.com/community/us...
Linux on IBM Z and LinuxONE Open Source Software Report: November 2025
community.ibm.com
December 17, 2025 at 4:25 PM
Here we are, the last report of the year from the #Linux on #IBMZ and #LinuxONE porting team and beyond 🚀
The list for November has nearly three dozen projects tested, including Apache Cassandra, fluentd, and neo4j + GnuCOBOL on our GitHub Actions for s390x 🧑💻
community.ibm.com/community/us...
The list for November has nearly three dozen projects tested, including Apache Cassandra, fluentd, and neo4j + GnuCOBOL on our GitHub Actions for s390x 🧑💻
community.ibm.com/community/us...
Reposted by Richard Lau
⚠️ Node.js security release has been postponed ⚠️
We have decided to delay the security release further to January 7th 2026 to ensure the team has enough time to prepare the releases and avoid distruptions during the holiday season.
nodejs.org/en/blog/vuln...
We have decided to delay the security release further to January 7th 2026 to ensure the team has enough time to prepare the releases and avoid distruptions during the holiday season.
nodejs.org/en/blog/vuln...
Node.js — Wednesday, January 7, 2026 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 17, 2025 at 5:31 PM
⚠️ Node.js security release has been postponed ⚠️
We have decided to delay the security release further to January 7th 2026 to ensure the team has enough time to prepare the releases and avoid distruptions during the holiday season.
nodejs.org/en/blog/vuln...
We have decided to delay the security release further to January 7th 2026 to ensure the team has enough time to prepare the releases and avoid distruptions during the holiday season.
nodejs.org/en/blog/vuln...
Reposted by Richard Lau
⚠️ The security release has been postponed to the 18th of December. The team is working on a challenging patch.
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Node.js — Monday, December 15, 2025 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 15, 2025 at 7:55 PM
⚠️ The security release has been postponed to the 18th of December. The team is working on a challenging patch.
Reposted by Richard Lau
In the end, it would be best if NPM just blocked TOTP reuse.
TOTP stands for “Time-based One-Time Password,” after all. The “one-time” property is important enough to account for 50% of the acronym. 🙂
Even the spec explicitly calls for blocking reuse: datatracker.ietf.org/doc/html/rfc... 6/6
TOTP stands for “Time-based One-Time Password,” after all. The “one-time” property is important enough to account for 50% of the acronym. 🙂
Even the spec explicitly calls for blocking reuse: datatracker.ietf.org/doc/html/rfc... 6/6
December 12, 2025 at 1:08 PM
In the end, it would be best if NPM just blocked TOTP reuse.
TOTP stands for “Time-based One-Time Password,” after all. The “one-time” property is important enough to account for 50% of the acronym. 🙂
Even the spec explicitly calls for blocking reuse: datatracker.ietf.org/doc/html/rfc... 6/6
TOTP stands for “Time-based One-Time Password,” after all. The “one-time” property is important enough to account for 50% of the acronym. 🙂
Even the spec explicitly calls for blocking reuse: datatracker.ietf.org/doc/html/rfc... 6/6
Reposted by Richard Lau
Devonte' Hawkins and I published a blog post all about the giant IBM Telum II that was professionally designed, you can read the full post here: community.ibm.com/community/us...
But at the end there's a surprise: the instructions and parts list for building your own little dual-chip module! Enjoy!
But at the end there's a surprise: the instructions and parts list for building your own little dual-chip module! Enjoy!
Ride the Lego IBM Telum II
community.ibm.com
December 10, 2025 at 5:43 PM
Devonte' Hawkins and I published a blog post all about the giant IBM Telum II that was professionally designed, you can read the full post here: community.ibm.com/community/us...
But at the end there's a surprise: the instructions and parts list for building your own little dual-chip module! Enjoy!
But at the end there's a surprise: the instructions and parts list for building your own little dual-chip module! Enjoy!
Reposted by Richard Lau
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 5:45 AM
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
Reposted by Richard Lau
Working in an enterprise setup with corporate proxies or custom CAs? Node.js has native support for that.
No external dependency required, just configure and continue 👍
Details: https://nodejs.org/en/learn/http/enterprise-network-configuration
No external dependency required, just configure and continue 👍
Details: https://nodejs.org/en/learn/http/enterprise-network-configuration
Node.js — Enterprise Network Configuration
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 10, 2025 at 3:32 PM
Working in an enterprise setup with corporate proxies or custom CAs? Node.js has native support for that.
No external dependency required, just configure and continue 👍
Details: https://nodejs.org/en/learn/http/enterprise-network-configuration
No external dependency required, just configure and continue 👍
Details: https://nodejs.org/en/learn/http/enterprise-network-configuration
Reposted by Richard Lau
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 6:03 AM
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
Reposted by Richard Lau
ECMAScript excitement 😉
A highly comprehensive article on what will (and might!) land in ES2026 by @marypcbuk.bsky.social 🎉
Includes coverage on Temporal by Boa creator @jason-williams.co.uk who leads the Rust-based temporal_rs library, as used by Google's V8 engine, amongst others.
A highly comprehensive article on what will (and might!) land in ES2026 by @marypcbuk.bsky.social 🎉
Includes coverage on Temporal by Boa creator @jason-williams.co.uk who leads the Rust-based temporal_rs library, as used by Google's V8 engine, amongst others.
With ECMAScript 2026, JavaScript will get more precise about sums, errors, international dates and times — and it may finally be time for Temporal.
By @marypcbuk.bsky.social
By @marypcbuk.bsky.social
ES2026 Solves JavaScript Headaches With Dates, Math and Modules
With ECMAScript 2026, JavaScript will get more precise about sums, errors, international dates and times — and it may finally be time for Temporal.
bit.ly
December 9, 2025 at 11:57 PM
ECMAScript excitement 😉
A highly comprehensive article on what will (and might!) land in ES2026 by @marypcbuk.bsky.social 🎉
Includes coverage on Temporal by Boa creator @jason-williams.co.uk who leads the Rust-based temporal_rs library, as used by Google's V8 engine, amongst others.
A highly comprehensive article on what will (and might!) land in ES2026 by @marypcbuk.bsky.social 🎉
Includes coverage on Temporal by Boa creator @jason-williams.co.uk who leads the Rust-based temporal_rs library, as used by Google's V8 engine, amongst others.
Reposted by Richard Lau
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Node.js — Monday, December 15, 2025 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 8, 2025 at 5:50 PM
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
