Richard Lau

YouTube video by node.js 2026-02-12- Node.js Release Working Group

✨ Keep up to date with @nodejs.org by watching the #Nodejs #Release Working Group's last meeting on YouTube!

www.youtube.com/watch?v=ulMh...

The future of `--experimental-transform-types` · Issue #51 · nodejs/typescript I wanted to talk about the future of --experimental-transform-types. The feature has been stable for a while no outstanding issue. The problem with this flag is that the syntax supported might chan...

github.com/nodejs/types...

Linux on IBM Z and LinuxONE Open Source Software Report: January 2026

I just published the January report for open source software packages for Linux on #IBMZ and #LinuxONE 🐧

The team tested nearly two dozen projects, including doxygen, Elastic Logstash, and PHP 🥳

Full report: community.ibm.com/community/us... #mainframe

Node.js — Node.js 24.13.1 (LTS) Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js patch release day! Full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...

Want to make an impact? Join the OpenJS Foundation. Fund the projects you rely on. Contribute engineer time where it matters.

State of JavaScript 2025 The 2025 edition of the annual survey about the latest trends in the JavaScript ecosystem.

It took a while, but the State of JS 2025 survey results are now live! 2025.stateofjs.com/en-US

Thanks to @danielroe.dev for contributing the conclusion.

Extending Python CI-CD on IBM Power, Z and LinuxONE

We released version 1.2 of our GitHub Actions service for IBM Z and Power 🎉 including improvements to Python support, so you can now use the IBM fork (until it's accepted upstream) of python-versions to specify versions: community.ibm.com/community/us...

I think I figured out what's going on. Here is another blog post about tinkering with Node.js Core on ARM64 Windows (and tips about reducing the wait time on Windows) joyeecheung.github.io/blog/2026/01...

Release v0.40.4 · nvm-sh/nvm Bug Fixes sanitize NVM_AUTH_HEADER in wget path nvm_has_colors: also check if stdout is a terminal nvm_strip_path: avoid gawk-specific RT variable for mawk compatibility nvm_get_default_packages: ...

nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).

Node.js — OpenSSL Security Advisory Assessment, January 2026 Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

🚨 Node.js assessment of the recent OpenSSL Security Release

TL;DR: We'll update OpenSSL versions through a regular release process.

nodejs.org/en/blog/vuln...

Why Costco Still Relies On IBM Computers From The '80s - BGR Costco still uses old IBM computers. This is because these systems are more secure, backwards compatible, and reliable, making them less of a hassle.

I love how the answer to the title of this article is "they don't"

"Why Costco Still Relies On IBM Computers From The '80s"

www.bgr.com/2079471/why-...

The new Power 11 servers are so shiny ✨ I was able to meet my first one at IBM TechXchange 2025 back in October.

(I work on IBM Z, not Power)

Node.js — New HackerOne Signal Requirement for Vulnerability Reports Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

⚠️ The Node.js Project now requires a HackerOne Signal score of 1.0 or higher to submit vulnerability reports. This will help our team streamline reports and support effective security reviews.

nodejs.org/en/blog/anno...

Linux on IBM Z and LinuxONE Open Source Software Report: December 2025

How did we do at the end of 2025 as far as testing our current collection of open source software packages for Linux on #IBMZ and #LinuxONE?

It was a strong finish! The team worked on over two dozen packages, including cAdvisor, PostgreSQL, and SPIRE.

Full report: community.ibm.com/community/us...

The State of WebAssembly – 2025 and 2026 A comprehensive look at WebAssembly in 2025 and 2026, covering browser support, Safari updates, WebAssembly 3.0, WASI, .NET, Kotlin, debugging improvements, and growing adoption across edge computing ...

State of WebAssembly (Wasm) - recap events of 2025 and preview what 2026 can bring.

platform.uno/blog/the-sta...

This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:

Node.js v25.4.0 is out! 💚

• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117

More in: nodejs.org/en/blog/rele...

Today the Temporal proposal has entered the stable stream shipping Chrome 144. This opens the gates for attaining Stage 4 at TC39.

That means tonight I will be purchasing a supply of champagne in preparation.

It’s been a long journey and so very worthwhile!

Today, we published a security release for @nodejs.org that fixes a critical bug affecting virtually every production Node.js app.

If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.

👇

Node.js — Tuesday, January 13, 2026 Security Releases Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

We appreciate your patience and understanding as we work to deliver a secure and reliable release.

Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:

- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue

nodejs.org/en/blog/vuln...

Node.js — Thursday, January 8, 2026 Security Releases Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.

The Node.js package configuration guide is now live! 🎉

Whether you're creating your first package or migrating to ESM, this guide walks you through it with examples.

https://nodejs.github.io/package-examples

npm to Implement Staged Publishing After Turbulent Shift Off... The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...

npm is planning to implement staged publishing, adding a review step before packages go live.

It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.

socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz

When the reproducibility of a serialized object breaks and

1. It doesn’t show up in debug builds
2. There is no obvious pattern in how the bits change

Then that might be an uninitialised padding

(Spent a couple of hours trying to fix this again…after I forgot how I fixed something similar before)

Linux on IBM Z and LinuxONE Open Source Software Report: November 2025

Here we are, the last report of the year from the #Linux on #IBMZ and #LinuxONE porting team and beyond 🚀

The list for November has nearly three dozen projects tested, including Apache Cassandra, fluentd, and neo4j + GnuCOBOL on our GitHub Actions for s390x 🧑‍💻

community.ibm.com/community/us...

Node.js — Wednesday, January 7, 2026 Security Releases Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

⚠️ Node.js security release has been postponed ⚠️
We have decided to delay the security release further to January 7th 2026 to ensure the team has enough time to prepare the releases and avoid distruptions during the holiday season.
nodejs.org/en/blog/vuln...

Unfortunately my experience of December has been people stop turning up to the meetings but do not indicate that they won't/can't attend nor cancel them 😞.

⚠️ The security release has been postponed to the 18th of December. The team is working on a challenging patch.

A quote from RFC 6238: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP."

In the end, it would be best if NPM just blocked TOTP reuse.

TOTP stands for “Time-based One-Time Password,” after all. The “one-time” property is important enough to account for 50% of the acronym. 🙂

Even the spec explicitly calls for blocking reuse: datatracker.ietf.org/doc/html/rfc... 6/6

Ride the Lego IBM Telum II

Devonte' Hawkins and I published a blog post all about the giant IBM Telum II that was professionally designed, you can read the full post here: community.ibm.com/community/us...

But at the end there's a surprise: the instructions and parts list for building your own little dual-chip module! Enjoy!

npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou... GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...

npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:

socket.dev/blog/npm-rev... #NodeJS #JavaScript