One bit that's worth emphasizing more on the new streams api discussion is the absolute cost of the current web streams model. Node.js' web streams impl has never been perf optimized but 90x faster is still ... something ...
After implementing web streams in multiple runtimes, supporting them for years, talking with other implementers, dealing with issues... I think it's well past time we talked about something better blog.cloudflare.com/a-better-web...
🚀 Coming in the next version of tsdown: built-in Node.js SEA (Single Executable Applications) support!
Now you can bundle your JS apps into a standalone executable with a single command:
tsdown --exe
Really cool to see @npmjs.bsky.social featuring more security information on package pages, including a link to Socket's analysis! 🤩
Here's what you'll find when you click through →
socket.dev/blog/socket-... #NodeJS #JavaScript
Excited that @socket.dev has joined @openjsf.org!
Code security is more important than ever in the AI coding and agentic era! We're doing our part to help.
🎉 We’re thrilled to welcome @socket.dev as our newest Silver member.
Socket is doing critical work to secure the JavaScript ecosystem by helping developers identify and prevent supply chain risks. We're excited to collaborate and make open source safer for everyone! 🛡️💻
openjsf.org/blog/socket-...
We're excited to announce that Socket is joining the @openjsf.org! Proud to support the #JavaScript ecosystem alongside so many great projects and contributors.
socket.dev/blog/socket-...
New Node.js codemod ✨ Migrate from Chalk to Node.js util styleText nodejs.org/en/blog/migr...
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
TIL there's ongoing work to add a native virtual file system (VFS) to Node.js!! Yes please!!! 😱🤩
github.com/nodejs/node/...
@nodeland.dev you are a hero!
New blog post on the journey of the new --build-sea flag and how SEA injection works
joyeecheung.github.io/blog/2026/01...
Finished two retrospective blog posts on the journey of require(esm) before 2025 ends:
joyeecheung.github.io/blog/2025/12...
joyeecheung.github.io/blog/2025/12...
I ported a Python library implementing a full HTML5 parser to JavaScript using GPT-5.2 and Codex CLI in 4.5 hours, and decorated for Christmas and watched Knives Out while I was doing it simonwillison.net/2025/Dec/15/...
No this is normal.
This was like double and tripling down. Perf fight are my favorite 🍿
I just published a new blog post: "State of URL parsing performance in 2025". I hope this answers all of @bagder.mastodon.social.ap.brid.gy's concerns. www.yagiz.co/state-of-url...
"Compacting conversation" is 2025 speak for "time to get some coffee"
🚀 Day 2 of Socket Launch Week:
Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.
🚀 Day Two of Socket Launch Week!
We’re launching @socket.dev Certified Patches—a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.
Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.
🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
"Let me use sed" is the new "Hold my beer"
Lodash is entering a new chapter 📖 With investment from @sovereign.tech the project is getting key updates for security, modernization, and community-led governance.
Details: hubs.la/Q03NrdfR0
Introducing Socket Firewall: free, proactive protection for your software supply chain
@dale.link @socket.dev
socket.dev/blog/introdu...
#ECMAScript #JavaScript
🚀 Socket now integrates with Bun 1.3’s new Security Scanner API! @bun.sh users can now protect their projects from malicious packages, typosquatting, & other supply chain attacks. Great to see Bun moving fast to protect devs with this new API!
socket.dev/blog/socket-...
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
In the past week "minimumReleaseAge" was added to pnpm 10.16.0 and also "maturity-period" added to taze 19.6.0 🙌
pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
🚨 Using setImmediate() in your Node.js apps? You might be creating silent performance bombs that only explode in production.
Our latest webinar breaks down why this "simple" async function is one of the most misunderstood tools in Node.js 🧵👇
