Best of NPM — 2025

1
Article
DevBlogs·52w
Announcing TypeScript Native Previews
TypeScript Native Previews are now available, offering a significant speed advantage due to the native port of the TypeScript compiler using Go, shared memory parallelism, and concurrency. This preview can be installed via npm and extends the functionality in Visual Studio Code through a new extension. Although it's still in its early stages with some missing features, developers are encouraged to explore these previews and provide feedback for continued improvements.
216
4
2
Article
Hacker News·1y
is-even-ai
Explore the is-even-ai package which utilizes OpenAI's GPT-3.5-turbo model to check if numbers are even or odd. It offers various functions such as checking equality, greater than, and less than comparisons with examples of implementation. Users can adjust the AI model and temperature for more sophisticated uses.
191
58
3
Article
Community Picks·1y
Why PNPM? WTF?
PNPM is a faster and disk-space-saving package manager for JavaScript that uses a symlink strategy to share dependencies across projects. It manages different dependency versions efficiently, saving disk space by reusing common files. While it's gaining popularity for its performance benefits, the decision to switch from NPM remains a personal choice.
173
23
4
Article
InfoWorld·21w
WhatsApp API worked exactly as promised, and stole everything
A malicious npm package called "lotusbail" masqueraded as a legitimate WhatsApp Web API library for six months, accumulating over 56,000 downloads. The package functioned correctly while secretly stealing messages, credentials, and contact data through a proxy layer that intercepted all operations. It used four layers of obfuscation and RSA encryption to exfiltrate data to attacker-controlled servers. Most critically, it exploited WhatsApp's multi-device pairing to maintain persistent access even after package removal, requiring manual device unlinking. The package remains available on npm, highlighting the limitations of traditional security checks against supply-chain attacks that mimic legitimate behavior.
127
5
5
Article
Codemotion·1y
Queueing Without a Queue: Enter fastq
The post describes how to use fastq, an npm package for Node.js, to create in-memory queues for decoupling processes. It explains the installation and setup of fastq, creating a queue worker, pushing items into the queue, and building a retry strategy. While fastq is easy to use in certain scenarios, challenges like retry strategy implementation and loss of queue status on process termination must be addressed.
127
3
6
Article
It's Foss·51w
How I Run JavaScript in VS Code
Learn how to run JavaScript code directly in VS Code using Node.js for efficient development. The guide covers setting up Node.js, creating a basic project with npm init, running scripts from the terminal, and using custom npm scripts for streamlined execution. Also explores the Code Runner extension as an alternative for quick code snippets, though it has limitations compared to the Node.js approach for serious development work.
75
7
Article
WebDev·47w
I Made a Simple Webdev Checklist So You Don’t Forget the Basics 🚀
A developer created an npm package called webdev-checklist that provides a comprehensive checklist of essential steps to complete before launching a website. The tool can be installed with a single npm command and helps ensure websites are polished, secure, and production-ready by reminding developers of commonly forgotten but important pre-launch tasks.
66
4
8
Article
Community Picks·1y
puffinsoft/jscanify: The Javascript document scanning library.
jscanify is a JavaScript document scanning library powered by opencv.js. It supports web, NodeJS, and React platforms. The newly released version 1.3.0 offers glare suppression and multi-colored paper support. The same API provides better results, and a debugging tool is available for observing results on test images.
64
2
9
Article
DevBlogs·23w
Previewing the JavaScript/TypeScript Modernizer for VS Code Insiders
Microsoft introduces the JavaScript/TypeScript Modernizer, an AI-powered VS Code extension that automates upgrading npm packages and fixing breaking changes in JS/TS projects. Available in VS Code Insiders as part of the GitHub Copilot App Modernization extension, it analyzes package.json files, proposes upgrade plans, updates dependencies to latest versions, and suggests necessary code changes through an interactive Copilot Chat experience. The tool requires VS Code Insiders, Node.js/npm, GitHub Copilot access, and enabling an experimental feature flag. Currently in preview with limitations including single-project support and potential rough edges.
50
3
10
Article
Product Hunt·29w
WhatsDiff: CLI tool to help you understand changes in your dependencies
WhatsDiff is an open-source CLI tool that displays what changed after running composer or npm update commands. It provides an interactive terminal interface for viewing dependency changes, aggregated changelogs, and risk assessment. The tool supports JSON/Markdown output for automation, CI/CD integration with exit codes, and includes an MCP server to assist with upgrades.
48
11
Article
Collections·36w
Compromise of npm Packages Highlights Supply Chain Vulnerabilities
A major security breach compromised 18 popular npm packages including debug and chalk through a phishing attack on maintainer credentials. The malicious code targeted cryptocurrency transactions by intercepting wallet interactions in browsers, though no funds were reportedly stolen. This represents the largest supply chain attack in npm's history, affecting packages with billions of weekly downloads.
40
3
12
Article
ExpressoTS·1y
Better NPM
Better NPM aims to enhance the npm package ecosystem with improved security, maintenance insights, and adoption statistics. It offers a unified marketplace for vetted plugins and extensions, a detailed security information layer, and better analytics for maintainers. Developers can gain comprehensive transparency into packages to make more informed decisions.
38
16
13
Article
Bootstrap·1y
Bootstrap 5.3.5
Bootstrap version 5.3.5 has been released to address a regression issue from Autoprefixer that caused floating form labels to always be 'floated' in Firefox. This release includes several documentation and dependency updates. The update is available on the Bootstrap website and on npm.
37
14
Article
shipping bytes·34w
Buy vs build when it comes to dependency management
Explores the evolution of developer perspectives on dependencies across career stages, from junior engineers wanting to learn by avoiding them, to mid-level developers embracing them for speed, to senior engineers being cautious about complexity. Compares software dependency decisions to manufacturing choices, arguing that both require careful cost-benefit analysis rather than blanket rules.
36
3
15
Article
Dev Squad·1y
Introducing pingflow – A CLI tool for testing your internet speed! 🌐
Pingflow is a CLI tool for real-time internet speed testing with a live progress bar, providing download speed in Mbps. It is easy to set up and works on Windows, macOS, and Linux. Install it using npm and then run the command 'pingflow' to test your speed.
35
7
16
Video
Fireship·36w
The largest supply-chain attack ever…
A massive supply chain attack compromised popular npm packages including Chalk, affecting over 2.5 billion weekly downloads. The attack began with a phishing email targeting maintainer Josh Junan, leading to malicious code that swapped cryptocurrency wallet addresses in web browsers. Despite the widespread impact across JavaScript ecosystems and CI/CD pipelines, attackers only stole about $50 worth of Ethereum before the community detected and neutralized the threat within 2 hours.
34
2
17
Article
WebDev·51w
NPM Downlytics
Npm Downlytics is a newly launched tool aimed at helping developers track and analyze their NPM package download statistics. It allows users to monitor trends, evaluate package popularity, and manage multiple packages simultaneously. Ideal for maintainers interested in gauging the impact of their work and identifying emerging trends.
28
6
18
Video
Deno·1y
Deno got even better!
Deno 2.3 introduces enhancements like improved Deno compile and format commands, support for local npm packages, performance upgrades, advanced formatting options, and better observability features. It allows compiling projects into standalone binaries, integrating native add-ons, managing npm packages locally, and enhances distributed tracing capabilities.
27
3
19
Article
Read the Tea Leaves·27w
The fate of “small” open source
With 80% of developers now using AI tools, small utility libraries like blob-util (5M+ weekly downloads) face obsolescence as LLMs can generate equivalent code on demand. This shift eliminates the educational value these libraries provided through documentation and tutorials, moving developers toward instant solutions over understanding. The future of open source lies in larger, more inventive projects and niche topics that LLMs cannot easily replicate, such as novel research tools and creative techniques that push boundaries beyond what AI training data covers.
25
5
20
Article
All Frontend·49w
I Made a Simple Webdev Checklist So You Don’t Forget the Basics 🚀
A developer created an npm package called webdev-checklist that provides a quick reminder of essential steps before launching a website. The tool can be installed with a single command and helps ensure sites are polished, secure, and deployment-ready, preventing last-minute issues during the launch process.
24
21
Article
Socket·24w
npm Sees Surge of Auto-Generated “elf-stats” Packages Publis...
Socket's Threat Research Team discovered over 420 automated malicious packages published to npm following an "elf-stats" naming pattern. These packages were published every two minutes from newly created accounts and contained simple malware variants. npm has begun removing the affected packages, but the automated publishing continues with new variations appearing. Developers should avoid installing any packages matching the elf-stats-* pattern until they can be verified as safe.
22
5
22
Article
React Native·1y
Drop the tools/NPM you use in React Native EXPO👇👇
The author is transitioning from web to app development using React Native Expo and is seeking recommendations for essential tools and NPM packages used in this development framework.
23
7
23
Article
Marvin Hagemeister·41w
Speeding up the JavaScript ecosystem - Semver
The semver library used by npm, yarn, and pnpm can be optimized by 33x through eliminating duplicate validation steps and implementing more efficient parsing. During package installation, these tools make over 21,000 semver function calls, with most being redundant validation before parsing. By following the 'parse, don't validate' principle and writing a custom parser, performance improvements of 10-25x are achievable, significantly speeding up dependency installation across all major JavaScript package managers.
20
1
24
Article
Astro·1y
What's new in Astro - April 2025
Astro's April 2025 update highlights recent activities and developments within the ecosystem, including the launch of Astro 5.6 and 5.7 releases, achieving 2 million monthly downloads, and the introduction of new themes and templates. The update also features contributions from the community, recognition of notable adopters, and various integrations and tools. Additionally, insights into the Astro Agency Partner Program and community updates are shared.
16
25
Article
WebDev·51w
lots-o-nekos - cat follow mouse real!
lots-o-nekos is an npm package that creates animated cats following your mouse cursor on web pages. It's a fork of oneko.js with enhanced customization options, TypeScript support, and comprehensive documentation. The library prioritizes ease of use and allows developers to add playful cat animations to their websites.
15
1

See all NPM archives