1. Home
  2. Discover
  3. Technology
  4. ECMAScript News

Trust in JS supply chain; sync vs. async code; JIT vulnerabilities; parseInt() and keycap emojis; V8

Secure your JavaScript dependencies.

socket.dev Sponsor

Open source code makes up 90% of most codebases. Socket detects what traditional vulnerability scanners can’t, including 70+ indicators of open source supply chain risk like malware, typosquatting, hijacked packages, obfuscated code, privileged APIs, and more. Install our free GitHub app today to instantly enable protection on all updates and new dependencies added in PRs.

Reproducibility vs. provenance: trusting the JavaScript supply chain

blog.vlt.sh @darcy@fosstodon.org

“Enter reproduce, a new open-source tool designed to independently verify whether a published npm package can be faithfully rebuilt from its declared source. Unlike provenance systems that merely associate a package with a build environment (which can be ephemeral and manipulated), reproduce goes a step further—empirically testing whether the package metadata actually corresponds to its purported source.”

Async, sync, in between: writing code that can be used synchronously and asynchronously

antfu.me @antfu@webtoo.ls

A mere mortal’s introduction to JIT vulnerabilities in JavaScript engines

trustfoundry.net github.com/JosiahPierce

To parse an int: parseInt() and keycap emojis

www.aleksandrhovhannisyan.com github.com/AleksandrHovhannisyan

The blog post explains the following phenomenon: 

> parseInt('4️⃣')
4

Turbocharging V8 with mutable heap numbers

v8.dev

“[...] we recently revisited the JetStream2 benchmark suite to eliminate performance cliffs. This post details a specific optimization we made that yielded a significant 2.5× improvement in the async-fs benchmark, contributing to a noticeable boost in the overall score. The optimization was inspired by the benchmark, but such patterns do appear in real-world code.”

Packages and tools

Node Modules Inspector: Visualize node_modules, inspect dependencies, and more

node-modules.dev @antfu@webtoo.ls

ohash: simple object hashing, serialization and comparison

github.com github.com/pi0 github.com/unjs

Unstorage: async key-value storage API for browser, workers, Node.js

github.com github.com/pi0 github.com/unjs

This email was sent to you. You can unsubscribe from this list here or update your preferences.

Older messages

Bundling dependencies; keyword `using`; Intl.DurationFormat; vlt client; Deno npm module specifiers;

Thursday, February 27, 2025

We have 13 links for you - Stay up-to-date on JavaScript and tools Dear readers! We moved the publication day of ECMAScript News from Tuesday to Wednesday – which works better with our schedules.

Alternatives to npm; TC39 meeting; Rust and JS plugins; long-term software maintenance; WeakMaps; JS

Thursday, February 27, 2025

We have 14 links for you - the latest on JavaScript and tools Is npm enough? Why startups are coming after this JavaScript package registry redmonk.com @kateholterhoff@hachyderm.io @redmonk@mastodon.

JSR open governance board; ESM-only packages; breaking up long tasks; Prettier 3.5; esbuild v0.25.0;

Friday, February 14, 2025

We have 9 links for you - Stay up-to-date on JavaScript and tools Introducing the JSR open governance board deno.com github.com/ry @lcasdev@mastodon.social github.com/crowlKats @deno_land@fosstodon.org

State of JS 2024; compiling JS via Porffor; source map format specification; December TC39 meeting;

Thursday, December 19, 2024

We have 9 links for you - Stay up-to-date on JavaScript and tools Dear readers! We are taking our end-of-the-year break and will be back on 21 January 2025. Be well and see you soon! Axel and Jowe

Require(esm) in Node.js LTS; simplified npm search; JS videos; Rolldown v0.15.0; oxlint v0.14.0

Tuesday, December 10, 2024

We have 6 links for you - Stay up-to-date on JavaScript and tools Node.js v22.12.0 (LTS): require(esm) is enabled by default nodejs.org @ruyadorno@fosstodon.org @nodejs@social.lfx.dev require(esm)

You Might Also Like

⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More

Monday, March 24, 2025

Don't miss out on this week's critical updates on patching, threats, and system protection. ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏ ‌ ͏

Import AI 405: What if the timelines are correct?

Monday, March 24, 2025

Plus: Consciousness and LLMs, human augmentation, and realistic cyber offense testing ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

⚙️ Court docs reveal Meta's Llama revenue

Monday, March 24, 2025

Plus: The gaps in AI for mental health ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks

Monday, March 24, 2025

THN Daily Updates Newsletter cover ⚡ LIVE WEBINAR ➟ Your AI is Outrunning Your Security. Here's How to Keep Up, with Reco Don't let hidden AI threats derail your success--learn how to empower

Post from Syncfusion Blogs on 03/24/2025

Monday, March 24, 2025

New blogs from Syncfusion ® Easily Build an AI-Powered Chat App Using WPF AI AssistView and OpenAI By Ganesh Mariappan This blog explains how to build an AI-powered smart chat app using WPF AI

🫤 Social Media Settings Are Intentionally Confusing — Smart Home Automations That Feel Like Magic

Monday, March 24, 2025

Also: You Don't Need an SD Card to Add Physical Storage to Your Phone How-To Geek Logo March 24, 2025 Did You Know The tallest cactus species in the world is the Pachycereus pringlei, also known as

📽 Webinar: Reinforcement Fine-tuning: Custom AI, No Labeled Data

Monday, March 24, 2025

Ready to learn how to train highly accurate, custom AI models – without massive labeled data? ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Re: Tomorrow's Photo Management Class: How to sign up!

Monday, March 24, 2025

This is your final opportunity! On Tuesday, March 25, at 4:30 pm ET, we are hosting our last free Photo Management Class. After that, we won't be offering this class again this year. Sign up now

WP Weekly 235 - Builders - 33K Users in 2024, New SVG Block, Accessible Infographics

Monday, March 24, 2025

Read on Website WP Weekly 235 / Builders Page Builders are still going strong, be it Divi adding 33K+ users in 2024 and Beaver Builder releasing a big update removing DIV wrappers. Also, in this issue,

SRE Weekly Issue #469

Monday, March 24, 2025

View on sreweekly.com A message from our sponsor, incident.io: Speed isn't everything. We studied 100K+ incidents to find out what actually makes for good incident management—from detection to