If the change log was generated by AI then it would make sense 😆 you are an AI favourite

Mexican orange blossom

A crow having a snack in the Forgotten Streams

California lilac

St. Paul’s Cathedral

Had a blast in London!

Thanks @tchetwin.bsky.social, @legendecas.bsky.social and many volunteering Bloombergers for organising a great Node.js collab summit 😇 This was one of the most attended summits I’ve been to, so didn’t get to say hi to everyone, but very happy to see many new faces!

🤌

Proposal: new `vm` module primitives & loader API for ESM customization · Issue #62720 · nodejs/node This proposes new vm module primitives that aim to replace the existing vm.SourceTextModule and provide a high-level loader API for ESM (specifically SourceTextModule) loading customization. Consid...

RFC: I have a new proposal to add new vm Module primitives and a SourceTextModuleLoader API to bring the `--experimental-vm-modules` out of experiments! github.com/nodejs/node/...

TFW you have a meet up next week and you even have a session to facilitate but your tonsils are acting up and your voice is now broken 😅

Just landed in London and planning to go to the GitHub social club in London this afternoon. Wondering if anyone here is joining too, happy to go say hi there!

30 minutes into sleep and I got woken up by iPhone’s bed time alert and I couldn’t fall asleep again. This must have been the most stupid feature ever…

Young linden leaves

Fir pollen cones

Apple blossoms?

Elm samaras

Spring has arrived in Galicia!

People seem to be underestimating how powerful 2 can be. You can make stupid choices you wouldn't normally make in a panic. My ex-roommate once almost got scammed but luckily she still had some wits left in that panic to consult me. It's useful to have another brain around when you are in a panic.

This looks similar to other telecom scams:

1. Lower your guards by appearing to be trust worthy
2. Put you into a panic mode so you make mistakes

In typical Chinese telecom scams, 1 is by appearing as an authority (police) or someone you know, 2 is by faking an emergency

Most towns in Spain has some parts that look like that, it would be weird to make a theme park out of it when people can just go back to their own town and see the same thing..

Some C++ code rendered in the new VS code default color scheme

Some JS code rendered in the new VS code default color scheme

There are a lot more purple now (I am a bit meh about this particular shade of purple though)

A few days in and I think my brain is gradually getting used to it. It’s amazing how a color scheme (or the familiarity of a particular one) can affect your speed of comprehension of the code but it’s useful to force yourself not to get locked into a specific set of schemes…

The majority of the reports are no longer legit vulnerabilities, but regular bugs or completely normal behaviors that AI try to frame as vulnerabilities with a highly contrived PoC to get the bounty, The massive noise is making it harder for triagers to identify the real valuable vulnerabilities.

The underlying cause is actually mentioned in both the H1 and L1 post: there’s an increase of AI-generated vulnerabilities, making rewards for reporting no longer sustainable. It’s a good thing that the funding is shifting towards actually triaging the valid reports and fixing the valid ones

Oops, obviously I meant releasing fixes, not releasing vulnerabilities! 😅

Those are different programs, IBB rewards those who *report* vulnerabilities, the grant in the link is operated by OpenSSF/AlphaOmega which sponsors 1 person/year to work *fixing* and *releasing* vulnerabilities. You can read about what that does here github.com/ossf/alpha-o...

Also thanks @aditeigh.bsky.social for the reviews!

Finally landed this PR that has been delayed for all sorts of reasons..

Hopefully this will help get rid of the "VSCode remote SSH getting stuck connecting to my server" problem caused by the WebAssembly memory allocation issue for most people when it flows into LTS!

github.com/nodejs/node/...

My brain is freezing when reading code in the new theme, but I wonder if that's just a thing that will pass once I get used to the new theme...and I do like the aesthetics, just that my brain doesn't listen to my eyes 🥲

Just updated vscode and now I am not sure if I should just get used to the new default color scheme or set it back to the old one...

This must've been one of the most challenging things I've worked on in a while. Thanks Bloomberg for sponsoring my work on this, and everyone who helped shipping a fix in time!

Wrote a blog post about how this works: joyeecheung.github.io/blog/2026/03...

new post on my personal blog.

i think these three areas often go unexplained, so hopefully this explains why some of these packages exist. these are fine to exist but the majority of developers shouldn't have to pay the cost for them.

Oh no ran into this again: thought my trackpad is broken because it was acting weird, turned out I just forgot to turn off my bluetooth mouse that was in my bag

This probably never gets old!

Now it's time to think if there's a better way to make it less of a chore...

Check out my badge & claim your free JSNation 2026 remote ticket! Join 10k engineers worldwide at JSNation 2026 and meet 50 top speakers at June 11 - 15, 2026

I will be speaking at #JSNation about the current lifecycle of ESM in Node.js, and the recent changes!

Check out my #JSNation badge: gitnation.com/badges/jsnat.... Register via the badge and watch the stream for FREE! See you on June 11 & 15.

Node.js — Tuesday, March 24, 2026 Security Releases Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

⚠️ Security release pre-alert:

We will release new versions of 20, 22, 24, 25 release lines on or shortly after 24th March, 2026 in order to address:

* 2 high severity issues
* 5 medium severity issues
* 2 low severity issues

nodejs.org/en/blog/vuln...

This must’ve been the biggest (in size) PR I’ve ever reviewed 😬 thanks for bearing with my insistence in hooking into the module loader & intercepting in fs internals, hopefully this would make a class of monkey patching in the wild obsolete and we will have a much more robust public API for this!

I am very excited to announce our partnership @eurosky.social with @igalia.com!

The partnership will accelerate the development of independent, European-operated infrastructure for the open social web, enabling developers, organizations, & communities to build new applications.

cc @xanlopez.xyz