
Security News
Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
A clarification on our recent research investigating 60 malicious Ruby gems.
Sarah Gooding
December 6, 2024
JavaScript enthusiasts celebrated the language’s 29th birthday this week, coinciding with the Node.js team delivering some exciting updates. The project has seen significant progress and improvements in late 2024, focusing on security, automation, and new features. Here’s a quick roundup of the most important changes developers need to know:
Node.js shipped version 22.12.0 'Jod’ this week, its first LTS with require(esm) enabled by default. The feature is still experimental but it’s no longer behind the --experimental-require-module flag. Support for loading native ES modules via require()
is an exciting milestone that impacts the whole ecosystem.
Node.js TSC delegate Joyee Cheung, who contributed this feature, gave a brief background on why it was needed:
It helps accelerating ESM adoption in the ecosystem as package authors can start shipping native ESM with less breakage to their CJS users; it also helps frameworks and tools that take plugins to support native ESM in user/plugin code whilst they are still navigating their own migration to ESM.
Automating the release process is an initiative that Node.js maintainers have been working on since 2023 with the goal of reducing the number of time-consuming steps to perform a release. In the last couple months, the project has made major progress in automating some of the housekeeping related to security releases which has made the team more efficient.
Node.js reports processing its lowest ever number of security reports (10) in October–November 2024. A brief breakdown of the reports:
The team attributes the low number of reports to “the effectiveness of our updated security policies in enhancing overall system protection.” They have also improved the release workflow with an automated command for updating the website banner and blog post locations, along with the CVE-ID metadata automatically added to changelogs, speeding up security release proposals.
These recent milestones demonstrate Node.js' ongoing commitment to drive the ecosystem forward and suggest that the platform will continue to be a powerful force in JavaScript’s adaptability, performance, and global impact for years to come.
By enabling require(esm) by default in an LTS release, Node.js is addressing one of the ecosystem's long-standing hurdles—bridging the gap between CommonJS and ES Modules. This shift indicates a commitment to easing the ESM adoption curve, paving the way for modern, interoperable JavaScript development.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
A clarification on our recent research investigating 60 malicious Ruby gems.
Security News
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.
Research
/Security News
A malicious Go module posing as an SSH brute forcer exfiltrates stolen credentials to a Telegram bot controlled by a Russian-speaking threat actor.