LightNews
rwklau.bsky.social
Richard Lau
@rwklau.bsky.social
340 followers 25 following 22 posts
Software Engineer at IBM. Node.js Build Infrastructure, Releaser & Technical Steering Committee.
Posts Media Videos Starter Packs
Reposted by Richard Lau
ruyadorno.com
Ruy Adorno @ruyadorno.com · 7h
Here are the slides for my Node.js year in review talk: speakerdeck.com/ruyadorno/no...

#nodejs #javascript #JSConf
Node.js 2025: What's new and what's next
This talks is a recap of what went on in the Node.js runtime in 2024-2025. Presented at JSConf US 2025
speakerdeck.com
1 13 26
Reposted by Richard Lau
nordicjs.com
Nordic.js @nordicjs.com · 17h
"No more juggling CommonJS and faux-ESM."
- @joyeecheung.bsky.social revealed how @nodejs.org is moving to full ESM and why the future looks brighter for developers.

www.youtube.com/watch?v=I0jv...
5 8
Reposted by Richard Lau
openjsf.org
OpenJS Foundation @openjsf.org · 11h
Introducing 🥁🥁🥁 our JavaScriptLandia award recipients for this year!

Beyond building new features, our recipients guide others, maintain essential systems, document the hard parts, and strengthen the community every step of the way. 💙

Read more about our honorees here: hubs.la/Q03NQvx10
4 11
Reposted by Richard Lau
rafaelgss.dev
Rafael Gonzaga | Node.js @rafaelgss.dev · 1d
Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify
performance improvements and JIT pipeline optimizations.

This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!

nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
19 78
Reposted by Richard Lau
nodejs.org
Node.js @nodejs.org · 3d
Node.js v24.10.0 is out.

* Per-stream inspectOptions support in console
* Removal of util.getCallSite (in favour of util.getCallSites)
* Upgraded OpenSSL to 3.5.4 and npm to 11.6.1
* Various src and benchmark optimizations

https://nodejs.org/en/blog/release/v24.10.0
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
8 39
Reposted by Richard Lau
rginn206.bsky.social
Robin Bender Ginn @rginn206.bsky.social · 6d
We’ll be gathering in SF to celebrate Mikeal Rogers . A night he would’ve loved, and a fundraiser to support his family. 💚 Hope you can join. an-event-mikeal-would-have-liked.com
3 12
Reposted by Richard Lau
joyeecheung.bsky.social
Joyee Cheung @joyeecheung.bsky.social · 13d
I gave a talk today at @nordicjs.com about shipping Node.js packages in 2025...or how to transition from shipping dual/faux-ESM/CommonJS to shipping ESM directly!

Slides at github.com/joyeecheung/...
github.com
5 11 58
Reposted by Richard Lau
igalia.com
Igalia @igalia.com · 15d
Igalia's @joyeecheung.bsky.social will be speaking about "Shipping Node.js packages in 2025,” focused on migrating dual/faux/CJS packages to ESM-only at Nordic.js on Friday, 3rd October at 10:30 CEST

nordicjs.com/2025/speaker...

Come say hi!
The same details as the skeet but on a card with Joyee's avatar
1 4 9
Reposted by Richard Lau
notwes.bsky.social
Wes @notwes.bsky.social · 15d
Other than the trusted publishing stuff (which is absolutely not ready for use yet, I will be outlining why in my JS Conf talk) this is a great write up of the recent goings on.
socket.dev
Socket @socket.dev · 15d
GitHub is overhauling npm security after the Shai-Hulud worm. Maintainers welcome the shift to stronger defaults, but are pressing for fixes to CI workflows, enterprise support & token usability.

Details on how community feedback is shaping the rollout:
socket.dev/blog/package...
Package Maintainers Call for Improvements to GitHub’s New np...
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
socket.dev
2 5 11
Reposted by Richard Lau
openjsf.org
OpenJS Foundation @openjsf.org · 20d
🚀 Node Rockets are blasting off (again) at #JSConf!

We’ve been launching these little rockets for over a decade, and yes, we’ve got the throwback pics to prove it.

Register: events.linuxfoundation.org/jsconf-north...
3 6
Reposted by Richard Lau
ruyadorno.com
Ruy Adorno @ruyadorno.com · 22d
A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...
Node.js Collab Summit, October 17 2025, Chesapeake Bay, MD
4 5
Reposted by Richard Lau
openjsf.org
OpenJS Foundation @openjsf.org · 23d
Open source foundations don’t run on “magic piles of money.”

Registries, CDNs, CI pipelines, security response and compliance work all require sustained support. Read why OpenJS joined peers in signing “Open Infrastructure is Not Free.”

🔗 hubs.la/Q03KtFgr0
6 11
Reposted by Richard Lau
openjsf.org
OpenJS Foundation @openjsf.org · 23d
Open source maintainers keep our ecosystem alive, but they can’t do it alone.

Support the maintainers that support you.

Read more about why we're endorsing "Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship" alongside industry partners: openjsf.org/blog/magic-p...
Open Source Can’t Rely on Magic Piles of Money | OpenJS Foundation
OpenJS signs joint industry statement on sustainable open infrastructure
openjsf.org
1 3
Reposted by Richard Lau
openjsf.org
OpenJS Foundation @openjsf.org · 22d
OpenJS 🤝 Codemod

Node.js migrations just got way easier. We're partnering with Codemod to help developers update apps faster, safer, and with less manual hassle.

🔗 hubs.la/Q03KHF260
Codemod Becomes an OpenJS Foundation Partner to Support Node.js Migrations | OpenJS Foundation
Codemod partners with OpenJS to simplify Node.js migrations
hubs.la
3 6
rwklau.bsky.social
Richard Lau @rwklau.bsky.social · 22d
Just released @nodejs.org 22.20.0.
nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
1 7 29
Reposted by Richard Lau
ulisesgascon.com
Ulises Gascón @ulisesgascon.com · 24d
Welcome @rafaelgss.dev to the @openjsf.org #CNA team! 👏 👏 👏

github.com/openjs-found...
Nominate @rafaelgss as CNA Coordinator by UlisesGascon · Pull Request #297 · openjs-foundation/security-collab-space
@RafaelGSS has made outstanding contributions to the open source security ecosystem, particularly through his leadership in the Node.js project and related tooling. He brings deep expertise in vuln...
github.com
1 3 5
Reposted by Richard Lau
socket.dev
Socket @socket.dev · Sep 16
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
1 15 30
Reposted by Richard Lau
darcyclarke.me
Darcy Clarke @darcyclarke.me · Sep 16
ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…

Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
https://github.com/npm/cli/blob/v…
3 10 43
Reposted by Richard Lau
socket.dev
Socket @socket.dev · Sep 15
🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
20 29
Reposted by Richard Lau
socket.dev
Socket @socket.dev · Sep 8
🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week.

Details: socket.dev/blog/npm-aut...
npm Author Qix Compromised in Major Supply Chain Attack - So...
npm author Qix’s account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.
socket.dev
2 25 31
Reposted by Richard Lau
marcoippolito.dev
Marco Ippolito @marcoippolito.dev · Sep 3
Node.js v20.19.5 is out 🎉

Changelog: nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
3 21
Reposted by Richard Lau
nodejs.org
Node.js @nodejs.org · Aug 29
Node.js v22.19.0 is out now. ✨

Details: nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
5 42
Reposted by Richard Lau
jordan.har.band
Jordan Harband @jordan.har.band · Aug 18
can't believe i only just encountered this article today www.redhat.com/en/blog/dont...

"Don't Lick the Cookie!", for example, don't assign issues in open source :-)
Don't Lick the Cookie!
Dave Neary from Red Hat discusses the term "cookie licking' and how it's an anti-pattern for open source communities.
www.redhat.com
5 1 22
Reposted by Richard Lau
rafaelgss.dev
Rafael Gonzaga | Node.js @rafaelgss.dev · Aug 15
Node.js v24.6.0 is out💚

Highlights:

* Use your system’s trusted certificates with NODE_USE_SYSTEM_CA=1
* crypto: ML-DSA (KeyObject/sign/verify)
* http: server.keepAliveTimeoutBuffer
* zlib: Zstd dictionary support
* fs: Utf8Stream (from SonicBoom)

Changelog: nodejs.org/en/blog/rele...
Node.js — Node.js v24.6.0 (Current)
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
1 5 24
Reposted by Richard Lau
jasnell.me
James Snell @jasnell.me · Aug 3
Got quic in Node.js making progress again now that openssl 3.5 has landed, and finished another chapter in the book. Productive weekend. github.com/nodejs/node/...
quic: continuing work on impl using openssl 3.5 by jasnell · Pull Request #59342 · nodejs/node
More work on the implementation
github.com
3 24