Node.js Digest#20: Deno vs Oracle ep.3, Serverless MCP, Malicious Node.js, State of Web Dev AI

Hi community, this is the Avenga team and a regular, monthly digest of the most interesting news in the world of Node.js and everything related to the backend JavaScript.

If you don’t have a time:

The hype train of “vibe coding” passed us by — and luckily, we all still have our jobs! Here’s a quick overview of last month’s top news from the backend JavaScript world:

• Node.js v24 is just around the corner and will soon become the current version. Scroll down to see what’s new in the update;
• In Node.js v25, support for localStorage will likely be enabled by default — there’s an active pull request tracking that work;
• Node.js v18 has officially reached end-of-life, and v23 has entered maintenance mode;
• It feels like everything is becoming an AI agent these days, doesn’t it? The Bun team agrees — they added a llms-full.txt file you can feed into your favorite LLM;
• Bun also improved Node.js compatibility further — Node.js Events module tests now pass 100%;
• JSR packages can now be used with pnpm and Yarn.

Deno vs Oracle, ep.3

In Episode 3 of "Deno vs Oracle" battle, looks like it will continue even in 2026. As I mentioned in previous digest, Oracle was caught using a Node.js screenshot to defend their JavaScript trademark. Now Oracle tries to brush it off with "but we also had a real example!" defense. Meanwhile, Deno calls it what it is — fraud, because misusing someone else's project isn’t exactly a minor paperwork error. The TTAB (Trademark Trial and Appeal Board) now has to decide if the fraud claim will move forward. In the next 3-4 weeks, we will see if the case will continue on the other two grounds that the mark is generic and abandoned, or the fraud claim will still be on the table.

JavaScript everywhere

Microsoft reports a growing trend: cybercriminals are now using Node.js to deliver malware. Why? Because it’s easy to run, hard to detect, and cross-platform — everything a modern attacker could want.

These malicious actors package their tools using Node.js, taking advantage of its flexibility to build remote access trojans (RATs), data stealers, and other harmful payloads. Since Node.js apps can blend into normal environments and run silently in the background, they often slip past security tools unnoticed.

Attackers also rely on obfuscation and legit-looking npm packages, making it even harder for defenders to spot threats.

Microsoft’s advice? Start treating Node.js like the powerful scripting engine it is — not just a developer tool, but a potential threat vector. Monitor it, audit your npm dependencies, and lock down your runtime environments.

What’s new in Node.js v24?

Node.js v24 might already be out by the time you read this digest, so let's dive into some exciting features of the latest version of our favorite platform!

One of the most practical additions is explicit resource management with the new using and await using statements. Resources marked with these statements are automatically cleaned up once they go out of scope—making your code safer and cleaner.

Also, URLPattern becomes a global object, improving developer experience by simplifying URL pattern matching directly in your scripts.

Another useful addition is the new Error.isError() method, helping you reliably identify errors across different realms, enhancing robustness in error handling.

Other notable improvements include:

• A major V8 engine upgrade
• Stabilization of the Permissions model
• An updated npm version
• And plenty of additional enhancements!

Check out the full list of updates here.

Continuous Integration, Occasional Security

In March 2025, the Node.js team discovered that attackers had managed to run unauthorized code on their CI infrastructure — not by exploiting some deep flaw in the system, but by cleverly using GitHub pull requests. With some quite trivial manipulation with commit timestaps, attacker was able to execute malicious code directly on Node.js infrastructure. More detaila about incident and remediation you can red here.

Happily Node.js team reacted in time and there was no noticeable damage or impact. Looks like a good time to check you recent Security Awareness training 😂

State of Web Dev AI

We recommend checking out the results of the State of Web Dev AI survey. As always, there’s plenty of statistical data on the tools respondents are using:

• Among the most popular tools are ChatGPT and Claude (no surprise there);
• The biggest challenges when working with LLMs are hallucinations and context length limitations;
• Cursor leads the AI-powered IDEs category, though VS Code remains widely used;
• GitHub Copilot is the top coding assistant, but Supermaven is showing signs of becoming a strong competitor.

The Opinions section deserves special attention — it featured open-ended questions. For instance, most respondents agreed that AI tools negatively affect overall expertise levels in the industry. There are also widespread concerns about job security and even the broader impact of AI on humanity's future.

Something to read:

The Platformatic team shared in their blog how fine-tuning Garbage Collection (GC) and memory management in V8 can significantly boost Node.js performance.

Liran Tal wrote about minimizing reliance on npm install by leveraging Node.js’ built-in modules instead.

MCP is the talk of the town lately. Riding the wave, the Serverless team introduced their own Serverless MCP Server, which looks promising in demo videos — but we all know reality hits different 😉

A deep dive into how Netflix achieves the exceptional streaming quality we’ve all come to expect.

How can contributing to Open Source become more than a habit — a mission? The Forward Email team shows how they’re living that idea.

Some thoughts on why TypeScript is going Go.

Just for fun: meet bhvr (Bun, Hono, Vite, React) — a cute project starter kit. Although... what could make starting a project easier than Cursor? 😄

A look at the new typed array in JavaScript: Float16Array, explained by Travor I. Lasn.

We all know about CORS, but it never hurts to revisit why caution is key — especially when GitHub’s blog is reminding us.

There’s never too much OWASP — here’s a fresh batch of best practices for working with npm packages.

Something to watch:

This month, it’s worth checking out the following videos from Matt Pocock:

👉 Where the author slightly revises his stance on whether to use types or interfaces:

👉 Why, if you haven't paid attention yet, now is really the time to look at the Zod library, which has just released version 4:

👉 And also what vibe coding looks like when done by a sane person:

It's always interesting to listen to a conversation between two smart people. This time, it's a discussion between Stefan Baumgartner and the author of Typescript Cookbook, Peter Kröner:

Did you know that Google has a Git killer? If not, it's high time to get familiar with something you could start integrating into your projects as soon as tomorrow:

If you work with event-driven systems, then the Outbox pattern might already be part of your toolkit. If not, the author of the Software Developers Diaries channel explains the benefits of this approach:

Updates/Releases:

Environments: Node v22.15.0, Node.js v20.19.1, Deno v2.3, Bun v1.2.12;

Frameworks: Koa v3.0, Nest.js v11.1.0

Libraries: Prisma v6.7.0, Zod v4 beta

Few more things

Here you can read about WhatsApp’s architecture that allows it to handle 40 billion messages per day.

If the word parquet doesn’t only make you think of post-AI career paths for developers, but also reminds you of the Parquet data format, then you might have heard of Apache Iceberg:

Many of you have heard that Bun is written in Zig — here’s a person who’s been working with Zig for two years and shares some impressions:

There seems to be brewing division among React developers — Fireship talks about it here:

Keep track on memes