Rafael Gonzaga | Node.js
Node.js Technical Steering Committee member
- This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:
- Node.js v25.4.0 is out! 💚 • require(esm) now stable and a new CLI flag: --require-module • http setGlobalProxyFromEnv() added • Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects) • Root CAs updated to NSS 3.117 More in: nodejs.org/en/blog/rele...
- [Not loaded yet]
- Can we just all agree to extend the holiday break a bit longer? Maybe into March?
- Oh hi. 👋 We're back with the latest Security Snapshot that covers how to publish to npm safely and with ease. ✨ @rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
- [Not loaded yet]
- SEMVER MAJORS ARE BORING 🚨 Major releases mostly bring breaking changes, not shiny new features. The fun stuff? That’s hiding in the minors. @rafaelgss.dev talks about why you should follow the minor releases in our latest JavaScript Security Snapshot.
- Want to dive in further? Check out Rafael’s release of @nodejs.org 25: twitch.tv/videos/25925...
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- ok so... I'm writing a book. It's called JavaScript In Depth (www.manning.com/books/javasc...) ... the first four chapters are available by Manning. This has been a difficult project and will continue to be so. The reason is that it isn't a How To book that focuses only on how to use the langauge
- Before automated workflows, releasing @nodejs.org meant 20 manual steps. Now it’s one command. 👀 @ulisesgascon.com and @rafaelgss.dev share how the Node.js build team went from a rack of Raspberry Pis in someone’s garage to full release automation. 👉Build Team on GitHub: github.com/nodejs/build
- Thanks for your hard work on this @notwes.bsky.social
- After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together. Here is that guidance 👇
- It was great working with you on this! As much as I dislike that we had to do this work, I think it is important that we did it so there is a thorough and accurate resource about the current state of things.
- With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️ We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
- [Not loaded yet]
- After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together. Here is that guidance 👇
- With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️ We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
- Too many @nodejs.org users are running old versions 😬 The team is exploring changes to the release schedule to fix that. @rafaelgss.dev shares all the details in our latest JavaScript Security Snapshot. Be a part of the conversation on releases: github.com/nodejs/lts-s...
- Ever wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️ @rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
- @rafaelgss.dev any chance y'all could update the v8docs.nodesource.com to include 25.x? Pretty please :-)
- i’m starting to get that “this word is weird now” feeling from hearing so many sentences like “releasers releasing releases” at the @nodejs.org collab summit
- Starting the day at the Node.js Collab Summit #nodejs #javascript
- [Not loaded yet]
- Introducing 🥁🥁🥁 our JavaScriptLandia award recipients for this year! Beyond building new features, our recipients guide others, maintain essential systems, document the hard parts, and strengthen the community every step of the way. 💙 Read more about our honorees here: hubs.la/Q03NQvx10
- I'm excited about net in permissions!
- Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify performance improvements and JIT pipeline optimizations. This release introduces the permission model --allow-net, Web Storage is enabled by default, and more! nodejs.org/en/blog/rele...
- Node.js v24.10.0 is out. * Per-stream inspectOptions support in console * Removal of util.getCallSite (in favour of util.getCallSites) * Upgraded OpenSSL to 3.5.4 and npm to 11.6.1 * Various src and benchmark optimizations nodejs.org/en/blog/release/v24…
- Lots of GREAT progress and discussion on our @expressjs.bsky.social Performance Working Group. Thanks everyone who is participating as I think this is the second most (security comes first) impactful thing we could be working on. For anyone interested in helping out: github.com/expressjs/pe...
- Our goal is to provide guidance and tooling for perf based decisions to the maintainers under our umbrella. Aligning our philosophy for how/what we monitor and how to interpret the results lets us be consistent across our 50+ packages. Ive been learning a lot so far, and big ty to @rafaelgss.dev
- Lots of GREAT progress and discussion on our @expressjs.bsky.social Performance Working Group. Thanks everyone who is participating as I think this is the second most (security comes first) impactful thing we could be working on. For anyone interested in helping out: github.com/expressjs/pe...
- [Not loaded yet]
- Hey @nodesource.bsky.social folks... Can I bother y'all to update the V8 doc site to cover node.js 24? @rafaelgss.dev
- Folks, right now @rafaelgss.dev is doing an awesome livestram on m.twitch.tv/rafaelgss talking about Node.js threads, memory management and perfs. Join us!
- [Not loaded yet]
- ⚠️ Security release pre-alert: We will release new versions of v20.x, v22.x, v23.x, v24.x release lines on or shortly after May 14, 2025, in order to address: - 1 high severity issue - 1 moderate severity issue - 1 low severity issue Details: nodejs.org/en/blog/vuln...
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- Has anyone done extensive @nodejs.org benchmarking in the form of squeeze testing? @nodeland.dev or @rafaelgss.dev maybe? There is a difference between loading up a system and loading it up until it falls over to see what falls first. Just hoping there is some OSS prior art on this.
-
View full threadI wrote one for work a while ago but it was pretty bare bones and bespoke to that use case. The main way Netflix does this is not really applicable outside of that system. Trying to decide if it is worth trying to build something.
- Hoping to avoid building something honestly.
- A stress test? This is not recommended as a benchmark methodology. The data produced by a stress test should not be compared as other factors will affect the result. I think this should be considered as an infrastructure test instead.
- Sure, maybe using the word benchmark was poor. But yea, in a real system this finds a lot and I don’t mean to “compare” really, just to find the bottlenecks.
- [Not loaded yet]
- [Not loaded yet]
- [Not loaded yet]
- With this release we have also issued the CVEs to EOL versions of Node.js
- Node.js @nodejs.org Security Releases: January 21, 2025 Node.js security updates now available for 23.x, 22.x, 20.x, and 18.x, addressing key vulnerabilities. undici (v7.2.3, v6.21.1, v5.28.5) on v23.x, v22.x, v20.x, v18.x. 👉 bit.ly/4hohEIL
-
View full threadI have just updated it. I forgot to push it publicly. It should be fine now.
- Thank you for your hard work on this stuff. It is appreciated and valued! 🙏
- The blog post doesn't indicate this though. Where are those CVEs?
