Back to News
9 min read

Node.js Digest #15: JavaScript Losing Ground, Express 5, Node.js 23, JSSugar and JS0, Microsoft and a 178GB Monorepo

Node.js Digest #15 by Oleksandr Zinevych

Hey, community! Oleksandr Zinevych here, Engineering Director at Avenga. I was a bit busy with this and this, so the digest is coming out a bit late. Apologies for the inconvenience, and let me walk you through what happened in the world of server-side JavaScript throughout October.

Key Highlights

Sadly, according to GitHub data, JavaScript is no longer the most popular language — it's been overtaken by Python. We all need to work together to fix this by next year ;)

Perhaps AI tools will help us reclaim JavaScript's position, specifically Claude AI, which can now not only generate JavaScript code but also partially execute it. This has been covered here and here.

The usual Node.js updates. Node.js v22.11.0 received LTS status with no additional changes compared to v22.10.0. Node.js v23 was also released, which finally dropped support for 32-bit Windows systems, removed the --experimental-require-module flag (you can now load ES modules with a simple require()), and traditionally added various improvements and bug fixes. The current available version is Node.js v23.1.0.

MongoDB v8.0 — the new version added a ton of stuff related to security, data aggregation, sharding, and replication. If you're on the fence about which database to use for a new project, here's a comment from the Mongo team on why MongoDB v8.0 might be a good choice.

Serverless-express v4.16.0 — Express v5 support has been added here.

TypeScript v5.7 beta — interesting highlights include improved checks for uninitialized variables and improvements to working with tsconfig.json files.

Express 5

More than 10 years ago, a PR for Express 5 was opened, and the saga with the new version continues. Express 5 kind of released, but kind of didn't 🫠

Recently, the team published a press release with some details about what's happening with the new version of the framework and where it's all headed.

You can try Express v5 using the next tag. The team made this decision to, on one hand, finally get this release out to the community in some form. On the other hand, to revive the process of maintaining and working on the project in line with the latest practices for open-source projects of this scale.

Besides explanations about what's happening with the framework and why the release looks the way it does, they shared a bit about the upcoming changes. Namely — dropping support for ancient Node.js versions below 18, improvements to body-parser and path-to-regexp, and more.

I'm glad the project is coming back to life, but whether it can go from being the darling of legacy systems to a worthy competitor among modern frameworks — only time will tell.

JS0 or JSSugar — Who's in Charge

In case you haven't heard, a proposal recently came from Google to split JS into two parts. I imagine you feel the same surprise and confusion about this proposal as I initially did.

Don't think this isn't serious. Here's a short post, as well as a full presentation of this idea with explanations and arguments for why it matters. One of the main arguments is that the language's evolution creates significant pressure on the V8 engine development team, which instead of making everything better for end users, is forced to chase after developers' whims.

To avoid this, the proposal suggests splitting JavaScript into JavaScriptSugar and JavaScript0. For end developers, everything would remain unchanged, since JavaScript = JavaScriptSugar + JavaScript0, where JavaScriptSugar is all the latest JavaScript features that would then be compiled into JavaScript0, which is supported by engines using additional tools like Webpack and the like.

On one hand, this initiative is seemingly nothing more than an attempt to explicitly formalize what's already happening with JavaScript. On the other hand, the argumentation is a bit weak. Maybe it would be better to look toward WebAssembly? It seems many in the community share these doubts. This sparked a heated discussion here.

How this all ends up and whether we'll have two JavaScripts, we'll see very soon.

npm Horror Stories

Since Halloween was just around the corner, I wanted to scare you a bit, and the only way I can do that is with new frightening stories from npm. The Socket team shared in their blog two cases of malicious npm packages that stole personal information or could even destroy it altogether.

The second case is particularly interesting, where cookie parsing hid functionality that deleted data — not immediately, but only after an hour. The way this code was concealed prevented automated systems from catching the malicious nature of the package.

Be cautious and always use verified packages, rather than something that will exploit your trust in npm and help bad actors do bad things.

How to Leave the IT Cloud

The traditional section that's not quite about Node.js. A few weeks ago, 37Signals founder David Hansson shared some details in his personal blog about how migrating from the Cloud to their own servers could potentially save them 10 million dollars.

Of course, at the scale and user base of their projects, such a transition is more than logical. They can invest in deploying and maintaining their own infrastructure, which will help save money going forward. Here you can read about the team's motivation and how the migration was organized.

A 178GB JavaScript Monorepo

Can you even imagine such a repository? 178GB is the size of all Game of Thrones seasons in pretty decent quality, or Microsoft's JavaScript monorepo containing the codebase for many of their popular and not-so-popular products. Feel free to crack jokes about Microsoft in the comments, but the problem itself is interesting.

In his blog, Jonathan Creamer shared how their monorepo first grew to 178GB and was then heroically reduced to 5GB due to a quirk in how Git works that was baked in by Linus Torvalds himself.

You can read more about how to avoid this on your project here.

Something to Read

Some of the key technical experts working with server-side JavaScript came together and formulated an excellent collection of principles for building Node.js applications. These materials will be especially useful for those transitioning to Node.js from another technology.

And here's simply a fairly large collection of various resources where you can read about software architecture.

Most of you have heard about Bun's much-advertised Node.js compatibility. The Bun team didn't share much about how this compatibility was achieved. But in their blog, the developers published material about how they built V8 API support — without actually using V8.

And here's a bit about timezones in Node.js.

I've already mentioned the Hono framework in my digests. Recently, the author himself shared more details about it. Why you should consider Hono, what makes it special, and what to do if you want flexibility in working with different JavaScript runtimes — you can read about all of that in this article.

Reinventing the wheel isn't always a good idea, but it's always interesting. You need to understand how those wheels are supposed to work. In his blog, Robin Wieruch shared how to build your own authentication system.

Why rewriting an existing project in something new and trendy like Rust isn't always a good idea is what Nolan Lawson reflects on.

A short tutorial from Timescale on how to build image search functionality. There's some promotion of their products in the post, but overall it's interesting to learn about the approach.

If, like me, you have doubts that AI will replace all of us anytime soon, read this short note from Google about how much of their code is already generated by AI. Of course, this is more clickbait than fact, since you can generate code of varying quality. But the trend definitely deserves attention.

If you don't like regular expressions, this article isn't for you. But it might be interesting to read about how regular expressions can be combined with TypeScript types.

Why security matters a lot and what vulnerability existed in the Zendesk system that allowed access to data from many large companies can be read in the story shared by a direct participant.

For those who don't know, Node.js can now execute TypeScript. Sam Thorogood briefly described in his blog how it works.

The Deno team explains how to quickly convert CJS to ESM.

What should you use for schema validation — VineJS or Zod? LogRocket covered this in their blog.

The story of ChartDB and how using AI you can build a project in just a few weeks that takes off.

Something to Watch

How to use the Anthropic API with JavaScript and Supabase:

If you think SQLite is dead — it's not, it's very much alive. CoderOne released a video about why SQLite can still be used in the age of everything-cloud, and how to do it right.

How to test Serverless? This question is always relevant and doesn't always have a simple answer. That's exactly the topic Pawel Zubkiewicz covers in a new video on the Serverless Land channel.

Fireship continues to promote Deno, this time with JavaScript benchmarking tools.

Thoughts on AI and JavaScript from Jason May:

If you haven't heard of the Feature Flags approach yet, it's time to learn what it is and how to build it.

A bit about what modern Junior developer hiring looks like:

Library of the Month

On the recommendation of Stas Slesarev, I can recommend the excellent library piscina, which will help you work efficiently with workers in Node.js both in terms of developer experience and performance.