Node.js Digest #2: npm and Social Engineering, LLMs in Node.js Development, More Updates, and CommonJS Criticism

Hello everyone, my name is Oleksandr Zinevych, and I work as an Engineering Director (Node.js, Ruby) at Avenga. I'm presenting the second issue of the digest with news, interesting and useful content about Node.js.

Key Highlights

Prisma 5 -- a new version of the popular ORM. In short, the main changes are focused on improving Prisma's overall performance. The team did a great deal of work and switched to jsonProtocol by default in Prisma Client. Thanks to this and other improvements, they achieved very impressive performance metrics.

There's already a YouTube video that goes into more detail about the new version with Prisma representatives.

Bun 0.7 now has even more compatibility with Node.js and the Node.js ecosystem. They added experimental Vite support, implemented Web Workers, and also added a --smol flag so Bun can run in memory-constrained environments.

Deno 1.35.3 -- this month Deno also received several updates with various fixes and improvements. More details here.

Prettier 3.0. Key changes include migration to ECMAScript Modules and a change in the default value for trailingComma (now set to all). You can read more about what's new and what changed here.

The list of Node.js best practices received a significant update in July.

Major Update to the Node.js Website

Spoiler: it's not that major 🙈

The official Node.js Twitter account announced that the long process of migrating the main Node.js website to a new tech stack has been completed. It now runs on Next.js and Vercel. There are no significant visual updates, but as always, they promise improved reliability, performance, and other enhancements in the new version.

Hopefully, visual changes will also come and extend to the documentation section, because the way it looks as of 2023 is a bit (a lot 🙂) outdated.

In the meantime, feel free to test the new site and write under the tweet at this link if you find any issues.

Node.js Updates

As usual, this month there were release updates for various Node.js versions.

The latest version of Node.js 20 -- 20.5.0 -- didn't have much new, but in the previous version 20.4.0, also released in July, things were a bit more interesting.

In addition to various improvements and fixes, this version brought us the new MockTimers API, which allows mocking setTimeout and setInterval. They also introduced initial support for explicit resource management, so now you can use TypeScript's using.

There was also a release of Node.js v18.17.0, which updated the URL parser Ada and included updates to the Web Crypto API 💻.

Greetings from North Korea

In the previous digest, we already mentioned the npm ecosystem vulnerability, and now npm is being used for hacker attacks once again.

This time, the npm user community receives greetings from a previously unknown hacker group from North Korea. In July, GitHub reported a new attack targeting employees of technology companies.

In short, hackers created fake user profiles on LinkedIn, Telegram, etc. This fake user would reach out to a potential victim and propose collaborating on a GitHub repository. The victim would clone the repository and install all the necessary npm dependencies, some of which contained malicious software. You can read more here.

I'd like to add: be cautious and carefully watch which npm dependencies you use, because you might accidentally add some colleagues from North Korea to your team 🙂

2023 State of API Report

Postman published the results of their 5th annual State of API survey. Of course, the survey included not only Node.js community members, but the results are interesting to study and most likely represent the state of affairs in APIs written in Node.js or similar platforms.

You can view the full report here, and I'd like to draw your attention to a few specific topics.

For example: about 65% of respondents indicated they use AI tools when writing APIs:

Respondents also noted that when a developer leaves a project, the biggest problem is outdated documentation, as well as zombie APIs that everyone forgets about and doesn't properly maintain:

Something to Watch

In June, the Node Tel-Aviv conference took place, and recordings of the talks have started to appear. You can watch them here. I found the talk by Adir Amsalem about writing CLI applications in Node.js interesting, as well as ESM Loaders: Enhancing Module Loading in Node.js by Gil Tayar.

Recordings from the latest JSNation 2023 conference are now available. Of course, not everything there will be interesting specifically for Node.js developers, but I particularly enjoyed two talks:

• Matteo Collina on ORMs -- "I Would Never Use an ORM";
• on AI and web development -- "AI and Web Development: Hype or Reality".

Here's the full list of talks from this and previous conferences.

If you're not yet familiar with Edge Computing, then the talk by Alexander Karan about what Edge Computing actually is and how it can be used will definitely be useful for you.

Viktor Turskyi released the first video in a series "about how the internet works." It will definitely be useful for those who already know the topic to refresh their knowledge, and will give newcomers a chance to learn 😉

A new episode of Tekhreveni was released, where we discuss modern trends of transitioning from desktop to web, from web to desktop, and the technologies related to all of this.

And in this video, Erick Wendel creates his own linter 🤯

Something to Read

Andy Jiang from the Deno team decided to throw not just a stone, but a hefty handful of stones at Node.js, specifically at the CommonJS system, calling it a burden that needs to be urgently abandoned. You can read more here.

On the official TypeScript website, the documentation page for ECMAScript Modules in Node.js is being actively updated, explaining the support for this technology in TypeScript.

Not sure why a native test runner was added to Node.js? Colin J. Ihrig published his thoughts on this topic. They'll help form the right expectations and understanding of why the native test runner is needed.

On the AppSignal blog, they explain how to integrate Fastify with their system. While it's somewhat promotional on their part, the general approach can be applied to other platforms as well.

Library of the Month

The biggest news of the month was, of course, that ChatGPT-4 got dumber, but the hype and hopes placed on LLMs haven't gone anywhere. The Node.js community was also influenced by this topic this month.

Microsoft released the TypeChat library, which allows you to structure responses from the OpenAI API. We could already explicitly describe the format we needed for a response -- a simple list or JSON. Essentially, TypeChat automates and encapsulates this process.