Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar.

RT @nodejs: Node.js v24.7.0 is out 💚. Featuring:.- Post-Quantum Cryptography in node:crypto.- Modern Algorithms in Web Cryptography API.- N….

What do you want to know?.

I was lucky to be part of the second cohort of @GitHub Secure Open Source Fund program and I enjoyed every bit of it. The program is jam-packed with content that you don't want to miss. So if you have an impactful Open Source project, you should apply!.

A number of JWT libraries are being flagged by low quality CVEs, mine included. I've promptly responded to their author 4 months ago and haven't heard back since. Now there are poor quality CVEs on MITRE that are getting synced across all security tools. What a shame, and PITA.

I'm going to be doing a pass over @nodejs Web Cryptography module as soon as Web Incubator CG (WICG) adopts the Web Cryptography Modern Algorithms proposal.

I've verified that oidc-provider (built using Koa) will run on CF Workers. Great job @yagiznizipli. No runtime can thrive without node compat and CF's approach to it is just 🧑‍🍳🤌.

OpenSSL 3.5 upgrade in Node.js underway and so is planning for all the goodness that comes with having 3.5 at hand - ML-DSA, ML-KEM, HPKE

RT @selfissued: Updates to Audience Values for OAuth 2.0 Authorization Servers @_panva @__b_c @openid #IETF #OAuth….

Having users keep a list of ESM-only dependencies to ignore "transform" on is the, as advertised, delightful Jest experience? As a maintainer of ESM-only modules I am not delighted being the support channel for @jestjs_ users who struggle to use web-compatible ESM modules.

FWIW the WebCryptoAPI in Node.js had these since August 2022.

WebCryptoAPI Ed25519 and X25519 algorithms are finally unflagged in Chrome 137, Edge 137 will follow shortly after and then these are available in all browsers. This is long overdue and is arguably might be seen as DOA given we're now shifting our focus to PQC algorithm support.

RT @_rafaelgss: A warm welcome to our newest Node.js TSC member: @_panva . Happy to see you onboard!.

jsr recently added download stats to the UI which also shows user adoption is nearing 0 even for very popular projects. Apart from bug fixes and less punishment for module authors, what's missing? For users? For module authors? Incentive for one, what else?.

Reality is that its doc generation drops doc inherited from the "implements" keyword, doesn't support full github flavored markdown, it punishes lack of useless interface docs with score deductions, lacks support for undeclared type dependencies necessary for a plugin ecosystem.

jsr seems intended to be super convenient for module authors who already adopted typescript, it build js, generates docs, incentivises inline docs using tsdoc, generally avoids having to setup much tooling.

There's a reason for those constant time checks. As flawed as they may be with eager optimizations done by js engines they still serve a purpose.

I've seen recent code changes that dealt with the buffer-equal-constant-time mishap in Node.js v24.0.0 by replacing it with the buffer-equal module via package manager overwrites. Please know that doing so makes your code vulnerable to timing attacks.

Did you move off of Node.js v18.x yet? 2 days 'till EOL

Thank you @ItsAndreKoenig for sponsoring me on @github. You can join them and discover my other standards-related projects at my sponsors profile:

RT @satanacchio: Node.js v20.19.0 is out 🤩. This is a special minor release ✨.Although v20 is in maintenance mode, meaning only patch are e….

JSR still has a long way to go to be taken seriously by maintainers, at least from the experience I'm having. Does anyone believe it'll ever become THE registry to use?.