#Security

Node.js 26.3.0 lands with a doubled default Buffer.poolSize to 64 KiB, a new permission.drop() method for granular capability surrender, macOS universal binary warnings, and hardened WebCrypto. npm is bumped to 11.16.0.

Astro 6.1.8 fixes a regression where build output filenames containing special characters caused deploy failures on Netlify and Vercel, and patches a content-type confusion vulnerability in the built-in image endpoint that could serve non-SVG content as SVG.

A look back at the major events that reshaped TypeScript's position in the JavaScript ecosystem — from surpassing JavaScript on GitHub to npm supply chain compromises and the Go-based compiler rewrite targeting 10x faster builds.

Cloudflare has built EmDash, a new open-source CMS written entirely in TypeScript and powered by Astro. Plugins run in isolated Dynamic Workers, solving WordPress's decades-old plugin security crisis where 96% of security issues originate.

Node.js shipped emergency security releases for v25, v24, v22, and v20 on March 24, 2026, patching two high-severity CVEs including a TLS SNICallback crash and an HTTP header prototype pollution risk. Here's what each fix does and which versions are affected.

Two poisoned releases of axios — one of the most widely-used Node.js HTTP client libraries — were published and pulled from npm within hours. Here's what happened, how the attack worked, and what you need to do right now.

On March 30–31 2026, developers discovered that the npm package @anthropic-ai/claude-code@v2.1.88 included a production source map file that exposed the full TypeScript source code — revealing undocumented multi-agent orchestration, a hidden Chrome MCP server, an internal query engine, a tool permission system, and a three-tier telemetry system.