Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
readable-stream
Advanced tools
readable-stream
Node.js core streams for userland
npm install readable-stream
This package is a mirror of the streams implementations in Node.js 18.19.0.
Full documentation may be found on the Node.js website.
If you want to guarantee a stable streams base, regardless of what version of Node you, or the users of your libraries are using, use readable-stream only and avoid the "stream" module in Node-core, for background see this blogpost.
As of version 2.0.0 readable-stream uses semantic versioning.
Version 4.x.x
v4.x.x of readable-stream is a cut from Node 18. This version supports Node 12, 14, 16 and 18, as well as evergreen browsers.
The breaking changes introduced by v4 are composed of the combined breaking changes in:
This also includes many new features.
Version 3.x.x
v3.x.x of readable-stream is a cut from Node 10. This version supports Node 6, 8, and 10, as well as evergreen browsers, IE 11 and latest Safari. The breaking changes introduced by v3 are composed by the combined breaking changes in Node v9 and Node v10, as follows:
- Error codes: https://github.com/nodejs/node/pull/13310, https://github.com/nodejs/node/pull/13291, https://github.com/nodejs/node/pull/16589, https://github.com/nodejs/node/pull/15042, https://github.com/nodejs/node/pull/15665, https://github.com/nodejs/readable-stream/pull/344
- 'readable' have precedence over flowing https://github.com/nodejs/node/pull/18994
- make virtual methods errors consistent https://github.com/nodejs/node/pull/18813
- updated streams error handling https://github.com/nodejs/node/pull/18438
- writable.end should return this. https://github.com/nodejs/node/pull/18780
- readable continues to read when push('') https://github.com/nodejs/node/pull/18211
- add custom inspect to BufferList https://github.com/nodejs/node/pull/17907
- always defer 'readable' with nextTick https://github.com/nodejs/node/pull/17979
Version 2.x.x
v2.x.x of readable-stream is a cut of the stream module from Node 8 (there have been no semver-major changes from Node 4 to 8). This version supports all Node.js versions from 0.8, as well as evergreen browsers and IE 10 & 11.
Usage
You can swap your require('stream') with require('readable-stream')
without any changes, if you are just using one of the main classes and
functions.
const {
Readable,
Writable,
Transform,
Duplex,
pipeline,
finished
} = require('readable-stream')
Note that require('stream') will return Stream, while
require('readable-stream') will return Readable. We discourage using
whatever is exported directly, but rather use one of the properties as
shown in the example above.
Usage In Browsers
You will need a bundler like browserify, webpack, parcel or similar. Polyfills are no longer required since version 4.2.0.
Streams Working Group
readable-stream is maintained by the Streams Working Group, which
oversees the development and maintenance of the Streams API within
Node.js. The responsibilities of the Streams Working Group include:
- Addressing stream issues on the Node.js issue tracker.
- Authoring and editing stream documentation within the Node.js project.
- Reviewing changes to stream subclasses within the Node.js project.
- Redirecting changes to streams from the Node.js project to this project.
- Assisting in the implementation of stream providers within Node.js.
- Recommending versions of
readable-streamto be included in Node.js. - Messaging about the future of streams to give the community advance notice of changes.
Team Members
- Mathias Buus (@mafintosh) <mathiasbuus@gmail.com>
- Matteo Collina (@mcollina) <matteo.collina@gmail.com>
- Release GPG key: 3ABC01543F22DD2239285CDD818674489FBC127E
- Robert Nagy (@ronag) <ronagy@icloud.com>
- Vincent Weevers (@vweevers) <mail@vincentweevers.nl>
Other packages similar to readable-stream
through2
Through2 is a tiny wrapper around Node.js streams.Transform that makes it easier to create transform streams. It is similar to readable-stream's Transform, but with a simpler API for most common use cases.
highland
Highland.js manages synchronous and asynchronous code easily, using nothing more than standard JavaScript and Node-like streams. It is more functional in nature compared to readable-stream and provides a higher level abstraction for handling streams.
stream-browserify
Stream-browserify is a browser-compatible version of Node.js' core stream module, similar to readable-stream. It allows the use of Node.js-style streams in the browser, but it is specifically designed to polyfill the native Node.js stream module for browser use.
bl
Buffer List (bl) is a storage object for collections of Node Buffers, which can be used with streams. Unlike readable-stream, it focuses on buffering and manipulating binary data rather than providing the stream API itself.
FAQs
Node.js Streams, a user-land copy of the stream library from Node.js
The npm package readable-stream receives a total of 99,942,957 weekly downloads. As such, readable-stream popularity was classified as popular.
We found that readable-stream demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 07 Jan 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025