July 30, 2025

Subject: 20 years of MDN; JS runtimes; minification doesn’t matter much; utility library es-toolkit; better .env files; Wasm-based plugins; package `is` hijacked; package `stylus` removed; securely building open source packages; auditing npm packages; ESLint v9.32.0

Dear readers!

ECMAScript News is taking a mid-year break and will be back on October 1. We wish you a good time!

Axel & Jowe

Celebrating 20 years of MDN

developer.mozilla.org github.com/joewalker @mdn@mastodon.social

“This month, we're celebrating a big anniversary: 20 years of MDN. Twenty years ago, the web was growing into a complex, interactive platform that was getting easier to access, but more challenging to build for. MDN started as a community-driven wiki, helping developers navigate that rapidly-evolving web with an emphasis on web standards. As the web platform matured and grew, so did the vast amount of knowledge captured on MDN and the community of people who read and contribute to it.”

The many, many, many JavaScript runtimes of the last decade

buttondown.com @shirakaba@techhub.social

“This last decade has seen an inundation of new JavaScript runtimes (and engines in equal measure), enabling us to run JavaScript in all manner of contexts with precise fitness for task. Through these, we've seen the language spread to the Cloud, the edge, Smart TVs, mobile devices, and even microcontrollers.”

“In this article, we'll explore what's driving this diversity, and why no one runtime or engine suffices for all purposes.”

Minification doesn’t matter much (and has downsides) – thanks to gzip compression

gomakethings.com @cferdinandi@mastodon.social

Libraries and tools

es-toolkit: utility library with Lodash compatibility layer

es-toolkit.dev github.com/toss

varlock: write .env files with type information and validate, generate types, etc.

varlock.dev github.com/dmno-dev

Extism: multi-language plugin system based on WebAssembly

extism.org github.com/extism

  • Plugin languages: all languages that can be compiled to WebAssembly
  • Host languages: JavaScript, Go, Rust, etc.

Security

npm package is hijacked in expanding supply chain attack

socket.dev @sarahgooding@fosstodon.org @SocketSecurity@fosstodon.org

npm ‘accidentally’ removes package stylus, breaks builds and pipelines

www.bleepingcomputer.com @ax@c.im @BleepingComputer@infosec.exchange

Google’s OSS Rebuild: securely building open source packages

security.googleblog.com github.com/msuozzo

[Quote:] OSS Rebuild helps detect several classes of supply chain compromise:

  • Unsubmitted Source Code – When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact.
  • Build Environment Compromise – By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity or avoid exposure to compromised components altogether.
  • Stealthy Backdoors – Even sophisticated backdoors like xz often exhibit anomalous behavioral patterns during builds. OSS Rebuild's dynamic analysis capabilities can detect unusual execution paths or suspicious operations that are otherwise impractical to identify through manual review.

NPQ: open source CLI tool that audits and protects npm installs from malicious packages

www.trevorlasn.com github.com/indreklasn

New versions

ESLint v9.32.0: rules updated for explicit resource management, and more

eslint.org @nzakas@fosstodon.org @eslint@fosstodon.org

This email was sent to {{ email | default }}. You can unsubscribe from this list here or update your preferences.