Back to News
8 min read

Node.js Digest #20: Deno vs Oracle Episode 3, Serverless MCP, Dangerous Node.js, and State of Web Dev AI

Node.js Digest #20 by Oleksandr Zinevych

Hey, community! The Avenga team here with our regular monthly digest of the most interesting news from the world of Node.js and everything related to server-side JavaScript.

If You're Really Short on Time:

The vibe coding hype has swept past us β€” and fortunately, we all kept our jobs! Here's a quick overview of the top news from last month in the backend JavaScript world:

  • Node.js v24 is on its way and will soon become the "current" version. Below you can read about what's new in this update;

  • In Node.js v25, localStorage support will likely be enabled by default β€” here's an active pull request where the work is underway.

  • Node.js v18 has officially reached "end of life" status, and v23 has moved to maintenance status.

  • It seems like everything around us will soon be AI agents, right? The Bun team agrees, which is why they added a llms-full.txt file that you can feed to your favorite LLM.

  • On top of that, Bun has further improved Node.js compatibility, and Node.js Events module tests now pass at 100%.

  • JSR packages can now be used with pnpm and Yarn.

Deno vs Oracle, Episode 3

Here's the third episode of the "Deno vs Oracle" battle, and it looks like this standoff will continue into 2026. As I mentioned in the previous digest, Ryahn Dahl caught Oracle using a screenshot of Node.js to confirm their rights to the JavaScript trademark. Now Oracle is trying to brush this off, arguing: "but we also had a different screenshot!" β€” though of a tool nobody has ever heard of πŸ˜‚

Meanwhile, Deno is outright calling this fraud, since unauthorized use of someone else's project is clearly not a minor documentation error. The TTAB (Trademark Trial and Appeal Board) now has to review this case and decide whether the fraud claim will proceed. Over the next 3-4 weeks, it will become clear whether the case will move forward only on other grounds β€” that the mark is generic and abandoned β€” or whether the fraud accusation will remain active.

JavaScript Everywhere

Microsoft reports a troubling new trend: cybercriminals are increasingly using Node.js for malware. Why? Because with Node.js, such code is easy to run, hard to detect, and cross-platform β€” the perfect tool for a modern attacker.

Attackers are packaging their tools using Node.js, leveraging its flexibility to create Remote Access Trojans (RATs), data stealers, and other malicious components. Node.js applications easily disguise themselves as regular processes and can quietly run in the background, often bypassing security tools.

Additionally, attackers actively use obfuscation and publish npm packages that, at first glance, raise no suspicion, making threat detection even more difficult.

Microsoft's advice? Treat Node.js as a powerful scripting runtime environment. Node.js is not just a development tool but also a potential attack vector. Set up effective monitoring, audit dependencies in your npm projects, and secure your runtime environment.

What's New in Node.js v24

Node.js v24 may have already been released by the time you're reading this digest, so let's dive into the most interesting new features of our favorite platform!

One of the most practical changes is resource management with the new using and await using constructs. Resources declared this way are automatically released after they're done being used and go out of scope, making your code safer and better from a developer experience perspective. Now Node.js will look even more like C#, for example, where this construct has existed for quite a while.

URLPattern has also become a global object β€” finally, without any extra imports.

Another useful feature is the Error.isError() method, which allows you to reliably check whether an object is an error, even across different realms.

Other improvements include:

  • V8 engine update.

  • The Permissions model has gained more stability.

  • Updated npm version.

  • And much more!

See the full list of changes here.

Continuous Integration, but with Security Issues

In March 2025, the Node.js team experienced a security incident. Attackers managed to execute unauthorized code on Node.js's CI infrastructure. Interestingly, this wasn't due to some deep vulnerability but rather a clever exploitation of pull requests on GitHub. A fairly simple commit manipulation was enough to bypass checks and trick CI into running third-party code.

This incident is yet another reminder: even the most secure systems can be vulnerable to social engineering and abuse of mechanisms that appear safe at first glance. The Node.js team responded promptly by reviewing access policies and strengthening checks in the CI pipeline.

State of Web Dev AI

We recommend checking out the results of the State of Web Dev AI survey. As always, there's quite a lot of statistical data about which tools respondents use:

  • Among the most popular tools are ChatGPT and Claude (as expected);

  • The biggest problems when working with LLMs are hallucinations and context window limitations;

  • Cursor is the leader among AI-focused IDEs, but respondents haven't forgotten about VS Code either;

  • GitHub Copilot is the leader among Coding Assistant tools, but there are signs that Supermaven could become its competitor.

The Opinions category deserves special attention, where in-depth questions were asked. For example, most respondents agreed that AI tools negatively affect the overall level of expertise in the industry, and most also have concerns about job security and, to some extent, even AI's impact on the future of humanity.

Something to Read

  • The Platformatic team wrote about how fine-tuning Garbage Collection (GC) and memory management in V8 can significantly improve Node.js performance.

  • Liran Tal explains how to use less npm install and rely more on native Node.js core modules.

  • Lately, you can hardly go anywhere without hearing about MCP. Riding this wave, the Serverless team introduced their own Serverless MCP Server, which looks interesting in the demo video, but we all understand that in real life things aren't quite that smooth)

  • A fairly deep dive into how Netflix achieves the video streaming quality we all love about the service.

  • How to make contributing to Open Source not just a habit but a mission? An interesting study about how the Forward Email team puts this approach into practice.

  • Some thoughts on why TypeScript is moving to Go.

  • Just for fun, because I liked the name β€” bhvr (Bun, Hono, Vite, React) πŸ˜‚ A sort of project starter simplifier. Although what could simplify things more than Cursor?

  • About the new typed array in JavaScript β€” Float16Array, by Trevor I. Lasn.

  • We all know about CORS, but it never hurts to be reminded why you should be careful with it, especially when it's written about in the GitHub blog.

  • You can never have too much OWASP, so here are recommendations for working with npm packages.

Something to Watch

This month, pay attention to videos from Matt Pocock:

Where the author slightly adjusts his position on using types vs interfaces:

https://www.youtube.com/watch?v=e0AIkYrXAYE

If you haven't been paying attention to the Zod library yet, this time it's really worth it β€” version four is already out:

And also about what healthy vibe coding might look like:

It's always interesting to listen to a conversation between two smart people β€” this time a discussion between Stefan Baumgartner and TypeScript Cookbook author Peter KrΓΆner:

Did you know Google has a Git killer? If not, it's time to learn about something you could start integrating into your projects tomorrow:

If you work with event-driven systems, the Outbox pattern might be something you're already using. If not, the Software Developers Diaries channel discusses the advantages of this approach:

Updates/Releases

A Few More Interesting Things

Here you can read about the WhatsApp architecture that handles a load of 40 billion messages per day.

If the word "parquet" doesn't just hint at a career change after programmers are replaced by AI, but also reminds you of the Parquet data format, then you may have heard of Apache Iceberg:

Many of you know that Bun is written in Zig β€” here's someone who worked with this language for two whole years and shared their impressions:

It seems there's a brewing discord among React developers β€” Fireship tells the story:

Meme Corner

Enjoying the digest? Subscribe to the author to receive notifications about new publications via email.

Subscribe to the "DOU #tech" Telegram channel to never miss new technical articles