Node.js 2025: Native TypeScript Support, Express 5.1 Revival, and Major Security Events
The 2025 Node.js roundup highlights native TypeScript execution, the long‑awaited releases of Express 5.1 and Koa 3.0, TypeScript 5.8/5.9 enhancements, pnpm's delayed‑dependency feature, a series of supply‑chain attacks, and key official moves such as a Discord community and Corepack policy changes.
1. Native TypeScript Support (Jan & Nov)
Node.js added built‑in TypeScript execution at the start of the year and solidified it in the LTS release v24.12.0 (Dec 2025). The runtime now strips type annotations, allowing developers to run node index.ts directly without a separate compile step. Although this is not a type‑checking runtime (that remains Deno's domain), it dramatically improves developer experience.
2. Framework Revivals: Express 5.1 and Koa 3.0
Express 5.1 (Mar 2025) : After a prolonged pause on the 5.0 line, Express 5.1 arrived, restoring the framework’s stability and performance.
Koa 3.0 (Apr 2025) : Koa released version 3.0, bringing modern features and reaffirming its relevance.
NodeBB v4.0 (Jan 2025) : The popular forum software also launched a major update, illustrating the continued vitality of classic Node.js tools.
These releases sparked a nostalgic “back‑to‑the‑old‑days” reaction among long‑time developers, showing that mature tools can still evolve.
3. Toolchain Evolution: TypeScript 5.8/5.9 and pnpm
TypeScript 5.8 (Feb 2025) & 5.9 (Aug 2025) : Both versions introduced the --erasableSyntaxOnly flag, ensuring code can be stripped of types for seamless execution by Node’s native support.
pnpm (Sep 2025) : The package manager added a “delayed dependency update” feature, aimed at mitigating the security crises described later.
4. Security Incidents
Microsoft warning (Apr 2025) : Microsoft reported a rise in Node.js usage by malware authors.
npm phishing attack (Sep 2025) : A large‑scale phishing campaign targeted npm packages, compromising many developer accounts.
Shai Halud v2 supply‑chain attack (Nov 2025) : A sophisticated supply‑chain exploit resurfaced, causing widespread concern.
The article stresses the importance of locking dependency versions and avoiding blind copy‑pasting of code.
5. Official Initiatives
Official Discord (Mar 2025) : Node.js launched a Discord community that quickly grew to over 20 000 members.
Corepack policy change (Mar 2025) : Corepack will no longer be shipped by default, giving users full control over their package manager choice.
Version releases :
Node.js v24.0 (May 2025)
Node.js v25.0 (Oct 2025) with v24 becoming active LTS, recommended for production.
Conclusion
2025 reaffirms Node.js as a cornerstone of backend development. Despite competition from runtimes like Bun and Deno, Node.js has incorporated key innovations—most notably native TypeScript support—while improving performance and developer ergonomics.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.