#npm

Node.js 25.9 adds an experimental stream/iter module for async iteration over streams, a --max-heap-size CLI flag, AsyncLocalStorage with using scopes, TurboSHAKE crypto, and an upgraded npm 11.12.1. Here's what each change means for your code.

A look back at the major events that reshaped TypeScript's position in the JavaScript ecosystem — from surpassing JavaScript on GitHub to npm supply chain compromises and the Go-based compiler rewrite targeting 10x faster builds.

Two poisoned releases of axios — one of the most widely-used Node.js HTTP client libraries — were published and pulled from npm within hours. Here's what happened, how the attack worked, and what you need to do right now.

On March 30–31 2026, developers discovered that the npm package @anthropic-ai/claude-code@v2.1.88 included a production source map file that exposed the full TypeScript source code — revealing undocumented multi-agent orchestration, a hidden Chrome MCP server, an internal query engine, a tool permission system, and a three-tier telemetry system.