The State of Node.js Security

In "The State of Node.js Security," I will provide an in-depth analysis of the initiatives led by the Node.js Security Team, exploring their significance and the benefits they bring to end-users.

Since 2022, we’ve accomplished a lot of tasks and the goal of this talk is to showcase the concluded initiatives, highlighting the advancements made in fortifying the security of Node.js applications. Furthermore, I'll unveil what you can expect from upcoming releases, offering a glimpse into the future of Node.js security.

From vulnerability management to secure coding practices and beyond, this talk will equip you with valuable insights into the measures taken to enhance protection and ensure a more secure Node.js environment.

Node.js Performance in 2026 - Where We Are and What’s Next

Node.js performance evolves quickly, but understanding what actually improves in practice is not always straightforward. This talk is based on my personal State of Node.js Performance series, where I analyze performance changes across Node.js releases using reproducible and data-driven approaches.

The session explores Node.js performance from several angles, including internal microbenchmarks, core subsystems such as the file system, streams, async primitives, and networking, as well as commonly used user-land libraries and HTTP frameworks. It shows how changes in Node.js and V8 translate into real differences in throughput, latency, and scalability under realistic workloads.

A strong emphasis is placed on methodology. The talk explains how benchmarks are designed, executed, and validated using dedicated hardware, controlled environments, and statistical techniques to avoid misleading conclusions. It also covers common benchmarking pitfalls and how to interpret results responsibly.

The talk closes with insights into ongoing and upcoming initiatives within the Node.js project that are likely to influence performance in the near future, helping teams make informed decisions when upgrading or tuning their applications.

Based on my personal State of Node.js Performance series, this talk looks at how Node.js performance changes over time in a practical and approachable way. We explore core features, popular libraries, and HTTP frameworks, focusing on what really affects throughput and latency in real applications. The session also shares how to run reliable benchmarks and how to read performance results with confidence, ending with a look at what’s coming next for Node.js performance

What's new in Node.js Security

This talk explores how Node.js security has evolved recently, focusing on concrete changes that developers can actually use. It covers the Permission Model, improvements across core modules, and lessons learned from recent Node.js security releases.

The session looks at how the Permission Model works in practice, what problems it solves, and where its current boundaries are. It also walks through recurring vulnerability patterns seen in recent releases, how they were fixed, and what those fixes mean for real applications. Along the way, we discuss changes in defaults, runtime hardening, and improvements in Node.js security processes.

Rather than treating security as a checklist, the talk connects runtime features, security releases, and real-world incidents to practical guidance. The goal is to help developers better understand the current security posture of Node.js and make safer decisions when building, upgrading, and running their applications.

This session covers recent Node.js security features and releases, including the Permission Model, and shares practical lessons that developers can apply to build safer Node.js applications.

Why Your Node.js Benchmarks Are Still Wrong

Benchmarking Node.js looks simple, but getting meaningful results is still surprisingly hard. This talk explains why many Node.js benchmarks continue to produce misleading conclusions, even when they appear careful and well-intentioned.

We walk through common benchmarking pitfalls, including unrealistic workloads, unstable environments, overreliance on microbenchmarks, and misuse of statistics. The session shows how small methodological choices can dramatically change results, leading teams to optimize the wrong things or draw incorrect conclusions about performance.

The talk also presents better approaches. It covers how to design benchmarks that are closer to real applications, how to control noise, how to validate results using basic statistical techniques, and how to reason about performance changes responsibly. Throughout the session, real Node.js examples are used to show where benchmarks go wrong and how they can be improved.

The goal is to help developers and teams build a healthier mental model of Node.js performance, so benchmarks become a useful tool rather than a source of confusion.

This talk focuses on common mistakes in Node.js benchmarking and shares practical guidance on designing, running, and interpreting benchmarks more reliably

Node.js Year in a Talk

Node.js evolves quickly, and keeping up with what actually matters can be difficult. This talk offers a curated overview of the most important changes across the Node.js ecosystem over the past year, focusing on what has real impact for developers and teams.

The session covers key updates in the runtime, including performance improvements, security changes, and notable additions to core APIs. It also looks at shifts in tooling, release practices, and ecosystem trends that influence how Node.js applications are built and maintained in production.

Rather than walking through release notes, the talk connects changes to real-world implications. It highlights why certain updates matter, what problems they solve, and what developers should pay attention to when upgrading or planning future work.

The goal is to give attendees a clear and practical picture of where Node.js is today and how the past year’s changes shape the road ahead.

A practical overview of the most relevant Node.js changes from the past year, focused on real impact rather than release notes.

Lies, Damn Lies, and Benchmark

Join me for a simplified dive into benchmarks and Node.js! Have you ever wondered about those bold claims stating one thing is better than another? Well, benchmarking, the process of comparing performance, can be quite tricky. It's like navigating through a maze of confusion, complexity, and potential errors.

In this talk, we'll unravel the mysteries of benchmarks, shedding light on why they can be unreliable, confusing, and sometimes just plain wrong. Just like how car brands only highlight stats that make their vehicles seem superior, benchmarks can often be skewed to favour certain outcomes. This talk will explore benchmark methodologies used in Node.js core.

5 Ways You Could Have Hacked Node.js

Join me as I take you on a deep dive into the world of Node.js security. As a member of the Node.js Security team, I've witnessed firsthand how all languages are or were vulnerable to some kind of threat. In the year 2025, our team performed numerous Security Releases, some of which presented challenging situations that required creative solutions.

If you're interested in the technical aspects of hacking and securing Node.js, you won't want to miss this talk. I'll share with you 5 ways in which Node.js can be hacked, and delve into the tactics used by the Node.js team to deal with vulnerabilities. Moreover, I'll also reveal how you can earn money by finding critical vulnerabilities in Node.js. So, whether you're a developer, a security enthusiast, or simply curious about Node.js security, this talk is for you. Join me and let's explore the exciting world of Node.js security together!