JavaScript and Node.js teams do not lack security tools. What they still lack is a dependency security workflow that developers will actually use before release.
That is the real gap. A package gets installed, CI (continuous integration) runs, a scanner executes somewhere in the pipeline, and eventually a report appears. From a distance, that can look like maturity. In practice, it often means developers learn about dependency risks too late, too indirectly, and with too little clarity to act while the fix is still easy.
The real problem in JavaScript and Node.js security is no longer detection. It is actionability.
That is why so many teams can say they scan dependencies and still struggle to answer the questions that matter right before release. What exactly is vulnerable? Is it direct or transitive? Is there a fixed version? Can I fix it in my own project, or am I blocked behind an upstream dependency? Which finding deserves attention first?
Those are not edge cases. That is the rea
Thirteen critical vulnerabilities have been found in the vm2 JavaScript sandbox package that could allow an attacker’s code to escape the container and do nasty things to IT environments. As a result, developers using this library in their applications are urged to update the software to the latest version, which is currently 3.11.2.
The warnings come in advisories from vm2 maintainer Patrik Simek.
vm2 is an open source vm/sandbox that can run untrusted code with whitelisted Node.js’s built-in modules.
One of the more serious of the 13 vulnerabilities is CVE-2026-26956, a full sandbox escape with arbitrary code execution. Attacker code that is inside VM.run() can obtain host process object and runs host commands with zero co-operation from the host.
However, researchers at Socket told us in an email that the advisory about this escape says it has been confirmed only on Node.js 25.6.1, and requires a Node.js version with WebAssembly exception handling and JSTag support.
The highest-risk
A supply chain attack on SAP-related npm packages has put fresh scrutiny on the developer tools and build workflows that enterprises rely on to produce software.
The campaign, referred to as “mini Shai-Hulud,” affected packages used in SAP’s JavaScript and cloud application development ecosystem.
The malicious versions added installation-time code that could steal developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes environments.
Researchers at SafeDep, Aikido Security, Wiz, and several other security firms said the affected packages included mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2.
The suspicious versions were published on April 29 and were later replaced by safe releases.
The malware encrypted stolen data and sent it to public GitHub repositories created from victims’ own accounts, according to the researchers. It also used stolen GitHub and npm tokens to add ma
OpenAI has released Symphony, an open-source specification for turning issue trackers such as Linear into control planes for Codex coding agents.
Instead of asking an AI tool for help with one coding problem at a time, Symphony is designed to let agents pick up work from an issue tracker, run in separate workspaces, monitor CI, and prepare changes for human review.
In a blog post, OpenAI said the system grew out of a bottleneck it encountered as engineers began running multiple Codex sessions. Engineers could manage only three to five sessions before context switching became painful, the company said, limiting the productivity gains from faster coding agents.
OpenAI said the impact was visible quickly, with some internal teams seeing landed pull requests rising 500% in the first three weeks.
The orchestration layer can monitor issue states, restart agents that crash or stall, manage per-issue workspaces, watch CI, rebase changes, resolve conflicts, and shepherd pull requests toward rev
JavaScript remains one of the most in-demand programming languages for web development—and that’s not likely to change anytime soon. While a JavaScript certification alone may not land anyone a development job, it definitely has its benefits.
“JavaScript isn’t just holding steady, it is still the most in-demand language in the market,” says Dan Roque, recruitment manager at HRUCKUS, a provider of professional and career services.
The Stack Overflow 2025 Developer Survey of more than 49,000 developers shows that JavaScript remains the most-used programming language, coming in ahead of HTML/CSS, SQL, and Python.
“It has held the top spot for over a decade, every single year since the survey began in 2011,” Roque says. JavaScript’s core advantage is its ubiquity, he says. “A developer who knows it well can contribute to front-end interfaces, back-end APIs [application programming interfaces], serverless functions, and automation pipelines without switching languages,” he says.
JavaScript
HTMX has been considered feature-complete for some time. It is a successful project that achieves its ambitious goals and is widely hailed, not to mention widely deployed in production. HTMX 2.0 was considered the final word. The creator promised there would be no HTMX 3.0.
So of course, being developers, the HTMX team decided to rip out the engine and replace it with a new one based on JavaScript’s Fetch API. They named the new version HTMX 4.0 to keep the promise.
Here is a fascinating tale of architecture and implementation that gives us a beautiful window into the inner machinations of the front-end industry.
Simpler web development
When asked for comment on the 3.0 leap frogging, HTMX Carson Gross gave me a one word quote:
“Oops.” – Carson Gross, creator of HTMX
Gross is one of my favorite industry personalities. It’s easy to see why. He created the Grug Brained Developer as well as HTMX. The former contains all the hard-bitten advice from a veteran coder that young grugs need
MiniMax, the AI research company behind the MiniMax omni-modal model stack, has released MMX-CLI — Node.js-based command-line interface that exposes the MiniMax AI platform’s full suite of generative capabilities, both to human developers working in a terminal and to AI agents running in tools like Cursor, Claude Code, and OpenCode. What Problem Is MMX-CLI Solving? […]
The post MiniMax Releases MMX-CLI: A Command-Line Interface That Gives AI Agents Native Access to Image, Video, Speech, Music, Vision, and Search appeared first on MarkTechPost.
