15 Recent Node.js Features that Replace Popular npm Packages
Over the years, Node.js developers have relied on countless npm packages to fill gaps in the platform.
weeklyfoo #106 / 2025-10-13nodejsnpm
π° npm
Benchmarks of JavaScript Package Managers
Was not aware of that: pnpm regularly updates this benchmarks that compares npm, yarn and pnpm
weeklyfoo #18 / 2024-02-05benchmarkpnpmyarnnpm
cleaning house in nx monorepo, how i removed 120 unused deps safely
Short version, I ran Knip across our Nx repo, took the unused list as a hint, deleted candidates, built, tested, booted apps, and put a few back when they were secretly used.
weeklyfoo #106 / 2025-10-13dependenciesnpm
How to keep package.json under control
Val Town is a React application with a ton of dependencies. Itβs complicated, and we have to deal with dependency upgrades all the time.
weeklyfoo #102 / 2025-09-15dependenciesjavascriptnpm
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
weeklyfoo #69 / 2025-01-27securitynpm
Leaner npm packument (metadata) contents
Mastering NPX
Modern JavaScript library starter
How to publish a package with TypeScript, testing, GitHub Actions, and auto-publish to NPM
weeklyfoo #18 / 2024-02-05npmpackagestarter
Nightmares on npm: How Two Malicious Packages Facilitate Data Theft and Destruction
Our threat research team breaks down two malicious npm packages designed to exploit developer trust, steal your data, and destroy data on your machine.
weeklyfoo #54 / 2024-10-14securitynpm
npm Adopts OIDC for Trusted Publishing in CI/CD Workflows
npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.
weeklyfoo #99 / 2025-08-25npmoidcsecurity
npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack
npm author Qixβs account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.
weeklyfoo #102 / 2025-09-15securitynpm
npm in Review: A 2023 Retrospective on Growth, Security, and Quirky Facts
npm malware
NPM registry prank leaves developers unable to unpublish packages
npm trusted publishing with OIDC is generally available
As of today, npm trusted publishing with OpenID Connect (OIDC) is now generally available.
weeklyfoo #97 / 2025-08-11npm
Our plan for a more secure npm supply chain
Addressing a surge in package registry attacks, GitHub is strengthening npmβs security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.
weeklyfoo #104 / 2025-09-29securitynpmsupply-chain
The Great npm Garbage Patch
The package that broke NPM (accidentally)
The story behing the <everything> npm package that stressed npm
weeklyfoo #15 / 2024-01-14npm
The Risks of NPM
We shouldnβt have needed lockfiles
Which npm package has the largest version number?
Why Does 'is-number' Package Have 59M Weekly Downloads?