Back to News
9 min read

Node.js Digest #11: Node.js Turns 15, TypeScript 5.5, Cloudflare Blackmail, RATs in NPM

Node.js Digest #11 by Oleksandr Zinevych

Hey, community! Oleksandr Zinevych here with a new edition of the digest featuring news about Node.js and beyond.

Key Highlights

🔹 TypeScript 5.5 RC — arguably one of the biggest TypeScript updates in recent years. Check it out so you can mentally prepare and allocate time for the upgrade 😉

🔹 New versions Node v20.14.0 (LTS) and v18.20.3 (LTS) have been released. Nothing too exciting here, but they did ship a few fixes.

🔹 Hono v4.4 received a lot of updates. This version added JSR support for Deno, a helper for easier access to connection information, and a timeout middleware.

🔹 Turborepo v2.0 — the new version features a much more convenient terminal, new configuration options, and bug fixes. It's a big and interesting release for anyone who used previous versions.

🔹 Minor updates to Prisma v5.15.0, pnpm v9.2.0.

Node.js Turns 15 🎉

In May, Node.js celebrated its 15th anniversary 👏 You can congratulate (even if a bit late) our beloved technology on the official account on X.

Over these 15 years, Node.js has gone from a small project with unclear use cases to the most popular server-side JavaScript runtime and one of the most popular platforms for backend web development (and beyond).

However, alternative JavaScript runtimes have emerged recently, such as Deno, Bun, and others. Each new runtime highlights certain problems present in Node.js and explains how their solution will improve developers' lives and encourage migration from Node.js. As a result, some question whether Node.js is still relevant and whether it's a technology that will soon start dying, especially given its long history and the existence of alternatives.

Matteo Collina attempted to answer this question in his blog, discussing what has happened with Node.js over these 15 years and what's going on right now. In short, Node.js is alive and well, and this graph shows how downloads have been growing year after year, along with the number of places where Node.js is used:

Matteo Collina also shared some insights about how Node TSC (Technical Steering Committee) approaches platform security and how security work is funded through grant programs (keep in mind that most core contributors have separate full-time jobs, and Node.js is essentially a volunteer effort). Besides security, Node.js has recently gained fetch, ESM, AsyncLocalStorage, a permissions system, a test runner, and more.

In short, the platform is alive. Happy birthday, and here's to rapid development and celebrating 30 years! 🥳

Did ESLint Say Yes?

It looks like in the near future, the day will come when ESLint will support eslint.config.ts. This is evidenced by a corresponding RFC filed in the ESLint GitHub repository and what appears to be a consensus among the TSC. Five years ago, the core ESLint contributors couldn't agree on this and rejected a similar proposal, but now, given the growing popularity of TypeScript and the development of its ecosystem, it was hard not to make this decision.

Cloudflare — Blackmailers

This story isn't directly about Node.js, but rather yet another horror story about cloud services and Cloudflare in particular. It turns out Cloudflare are quite the blackmailers 😏

If they need to move your account to a different subscription tier, usually a more expensive one, be prepared for them to find a way to force you into it, or to simply suspend your account entirely.

In the story above, one fine day Cloudflare sales reps started contacting the author with emails about some serious technical issue in their account settings that required a meeting. During the meeting, it turned out there was no issue at all — just a proposal for a new pricing plan that was many times more expensive than the current one and required a year of upfront payment. The more the authors refused this proposal, the more aggressive the Cloudflare representatives became, eventually resorting to outright blackmail with a 24-hour payment deadline. When this didn't happen, the service was simply terminated.

It's a scary situation, and it's fortunate that the team was able to quickly migrate everything to another provider. So be careful with Cloudflare, and if you receive an email about some issue with your account, prepare to move to a different host.

ChatGPT Isn't That Smart

Many readers actively use tools like ChatGPT or Copilot. I, for example, use ChatGPT to automate some routine processes just to get certain tasks done faster.

Yes, yes... I'm actively contributing to that whole Skynet thing)))

No matter how convenient these tools are, now that the user base is enormous, we can analyze the quality of the answers they give us. My attention was drawn to this discussion where the community discusses research on whether ChatGPT gives better answers than StackOverflow. There's a lot of text, but in short, the research shows that in more than 50% of cases, ChatGPT gives worse answers than StackOverflow. Of course, this is only for now, and someday these statistics will flip the other way, but for the time being, verify what ChatGPT tells you.

Is JavaScript Cool or Not?

Many years ago, when I was just entering IT, JavaScript was always criticized as being a somewhat incomplete language. Time has passed, JavaScript is now one of the most popular development languages, yet this criticism persists. On X, the father of JavaScript himself responded and described what he thinks about JavaScript. As always, things aren't black and white. You can check out the response and the comments here.

RATs Are Attacking

In their blog, the Phylum team shared a fresh dangerous discovery in npm. Specifically, an npm package that executes a RAT (Remote Access Trojan), launching separate files and processes that allow listening for commands from the outside. As always, keep an eye on the packages you install, because npm is overflowing with malicious code.

Something to Read

🔹 Marco Mauro talks about how he improved his productivity and uses Node.js and ChatGPT to generate brief summaries from any article.

🔹 Redirecting from HTTP to HTTPS can cause more harm than good. Why? The answer is in this post.

🔹 Cloudflare is expanding its presence and adding regional services.

🔹 Haven't used the native test runner in Node.js yet? Here's a short guide on how it works.

🔹 Snowflake is in big trouble — several large clients using the platform suffered a significant data breach. It's still unclear who's at fault, but it's an interesting story.

🔹 There are tons of job titles for various roles on projects and in companies today. Sometimes it's hard to figure out who is who and what they're responsible for. Darren Evans and Steve McGhee bust myths and explain what platform engineering actually is.

🔹 Haven't heard of Promise.withResolvers() yet? It's time to get acquainted 🙂

🔹 A few success stories of using MongoDB.

🔹 And here's a bit about what things to consider and why it's important to design the right document structure from the start when working with MongoDB to handle millions of records in production. For some, this is basic knowledge; for others, it will be useful to refresh or learn.

🔹 The Socket team summarized where JavaScript is headed and what new features to expect in the future based on the recent Ecma TC39 meeting that took place in Finland.

🔹 Have you ever wondered how AWS Lambda works under the hood? How they start up, how code is executed, what virtual environment is used? ByteByteGo aggregated various talks on AWS, AWS Lambda, Serverless, and more, and tried to answer all these questions.

🔹 A story about how memory leaks and setTimeout() are related in Node.js applications.

🔹 Harrison Broadbent shares another horror story about a big bill from a cloud provider, this time from Netlify.

🔹 A short guide on how to use BullMQ in Node.js.

🔹 The Nearform team has various articles about Node.js on their blog. Here you can read about the new HTTP parser Milo, and here about memory management in JavaScript.

🔹 Liran Tal shares his thoughts on the key features of Node.js as a runtime that you might not know about yet.

🔹 Matt Bessey talks about why he's tired of GraphQL.

Something to Watch

🔹 A bit more about npm's competitor from Deno — JSR:

🔹 Another horror story about cloud services and the Serverless approach from Fireship:

🔹 Takuya Matsuyama invites you to learn the Hono framework with him:

Learn with me: Hono JS (How I take tech notes)

🔹 A review of what many call one of the biggest TypeScript updates in recent years, by Theo Browne:

🔹 In an era when Node.js has competitors like Deno and Bun, it's not always clear whether it's worth using them. Maximilian Schwarzmuller tries to answer this question:

🔹 A bit about System Design in a new video from ByteByteGo. If you've already worked with Data Pipelines, there won't be much new for you in this video. What it is, what it's for, the main tools — that's what they cover in this short video below:

🔹 It's always interesting to hear from people who work at top-tier product companies:

🔹 Recordings from JSWorld Conference are out. There's a lot of frontend content, but some talks may also be interesting for those who use JavaScript on the server. These videos caught my attention, for example:

Service of the Month

**

**

This time it's a service, not a library. I couldn't help but share my discovery of a service that can breathe new life into our familiar GitHub Gists — val town. With this tool, you can create cron jobs, send emails, and even build an API. There's even a leaderboard with trending vals. It looks cool, although for me it's a bit unclear where exactly I'd use it 🙂