Node.js runtime version download stats shared by Matteo Collina on X/Twitter:

To continue with more Node.js project news…

💡 Did you know about the Package Maintenance initiative in the Node.js project? This working group helps surface unmaintained and potentially abandoned npm packages that are crucial to the ecosystem (think in terms of millions of downloads) and transfer ownership in part/full to trusted ecosystem maintainers. It exists to avoid a meltdown in npm dependencies due to breaking issues in such widely dependent-upon packages.

Headlines

How to use the new Promise.withResolvers - You’re probably familiar with new Pormise constructor but there’s an even more elegant way of converting event-emitters and callbacks than wrapping your whole code block and that’s with Promise.withResolvers which landed in Node.js v22.0.0.

URL Regex Validation: what can go wrong? - Are you using regex to validate URLs? Learn from a CVE identified in the node-forge npm package that was using a regex pattern to validate URLs and resulted in a security vulnerability.

Comparing various server-side rendering frameworks including Fastify - Platformatic published their benchmarks to test fastify-html, vue, svelte, solid, preact, and react for speed and performance on their server-side capabilities. Can you guess which performed best and worst? ​ Keeping with Node.js performance benchmarks, why is spawning a new process in Node so… slow 🐢? - A fun experiment that Max McDonnell created to benchmark how Node.js, Deno, Bun, Go and Rust compare when doing a child_process.spawn() task. This experiment has some security related implications too - for example, if you’re aware of regular expressions creating a denial of service impact for the Node.js main thread (ReDoS) then you might have sought out a workaround to just spawn them in a new process and resolve there or kill the process on timeout, right? Well, not so fast because you’ve traded a DoS problem with a performance problem.

Did you hear about Civet? - Civet is a programming language that compiles to TypeScript or JavaScript, so you can use existing tooling. It’s already 99% JS/TS compatible. Are we going into another era of hyper-drive JavaScript framework, runtime, and languages proliferation?

📦 On npm

An all-around collection of TypeScript and ESM tools for project scaffolding, npm publishing, bundling and other utilities:

• create-typescript-app - Quickstart-friendly TypeScript template with comprehensive, configurable, opinionated tooling.
• Clipanion - Type-safe CLI library with no runtime dependencies
• tshy - Hybrid (CommonJS/ESM) TypeScript node package builder. Write modules that Just Work in ESM and CommonJS, in easy mode.
• tsup - Zero config TypeScript bundler with treeshaking and minification.
• stricli - Bloomberg’s stricli is not very popular but they do bundle many features like TypeScript support, dual ESM and CommonJS publishing, typing command line arguments, out of the box support for auto-complete and more.

❗ New Security Vulnerabilities

• uptime-kuma found vulnerable to CVE-2024-56331 Path Traversal, 20 Dec 2024
• @marp-team/marp-core found vulnerable to Cross-site Scripting, 20 Dec 2024

💼 Hiring

• Jit is hiring for Senior Backend Engineer in Tel Aviv 🇮🇱
• Jit is hiring for Senior Frontend Engineer in Tel Aviv 🇮🇱