Node Congress 2026

Kenton Varda advocates for using CapnWeb, an RPC protocol, over REST for web APIs, emphasizing benefits for humans and AI agents. CapnWeb simplifies client-server communications by treating them as function calls. TypeScript type checking ensures method accuracy in CapnWeb across JavaScript runtimes. Stubs in CapnWeb allow method calls to execute on remote objects and simulate all possible method names for remote calls. Converting REST APIs to CapnWeb streamlines code and improves API calls. CapnWeb enhances API functionality with object-specific RPC sessions and promises pipelining for multilevel API optimization. AI agent security challenges are addressed with sandboxing and token protection in CapnWeb. CapnWeb capabilities for AI agents include passing restricted CapnWeb stubs and exploring capability-based security with CapnProto.

Matteo Collina discusses Node.js, its single-threaded design, and the introduction of threads in 2018 for parallelism and CPU utilization. Node.js production monitoring focuses on application health, fault tolerance, and event loop efficiency. VAT architecture improves Node.js applications with thread migration and monitoring. Node.js manages threads and failures independently with Prometheus monitoring. Scalability in Node.js involves Kubernetes clusters and in-process scaling. Next.js with React SSR for Node.js applications enables dynamic scaling and performance. Node.js handles CPU blocking and SSR performance by utilizing multiple threads.

The Talk introduces APIs, Codemode, and MCP, highlighting the role of APIs in empowering agents and AI's access to external resources. CloudFlare's evolution with MCP involves remote tool sharing and addressing challenges like large context windows. Challenges in Cloudflare's API tool access include progressive tool disclosure and splitting MCP servers. The discussion covers tool search, project management API creation, CodeMode concept, and self-documenting tools for secure tool execution. Proposed solutions include Code Mode, SDK generation, efficient control flow, token efficiency, and secure code execution. Key topics include dynamic worker loaders, Cloudflare API integration, Visitor Counter implementation, and exploring MCP server functionality.

JavaScript developers face security risks in npm packages with self-replicating worms compromising packages. Supply chain attacks target prolific maintainers leading to unauthorized code injections. Vulnerabilities in package maintainers and implicit trust contribute to successful attacks. Secure package installation practices vary between npm and Deno. AI-generated code introduces new security risks with embedded secrets. Secure AI code execution involves sandboxing for isolation and secure handling of API keys.

James Snell discusses challenges in current stream APIs, proposes a new, faster, and simpler streams API while questioning the existing Web Streams model. Discussion includes the necessity for a new API due to excessive ceremony, confusing locking mechanisms, and complex specifications, especially in controller APIs. Challenges with controller API optimization, hidden buffering, and excessive memory usage are highlighted. The talk delves into the cost and complexity of promises in JavaScript, optimizing readable streams, and managing complexity in stream implementations. Optimizing stream processing in JavaScript, data chunk processing, back pressure policies, multi-consumer patterns, and efficient branch cursor management are explored. The new API aims at simplifying stream processing by eliminating unnecessary operations, reducing promise overhead, and focusing on iterators, transforms, and back pressure for efficiency and simplified design.

JavaScript ecosystem enables versatile development for mobile using frameworks like React Native, Expo, and Bear. Challenges arise in porting server logic to mobile due to limitations in reusing core logic between backend and mobile. Bear stands out as a versatile runtime for iOS, Android, React Native, and Expo, allowing selective module integration. The integration of Bear with React Native simplifies mobile app development and background task execution. Bear emphasizes a 'less is more' philosophy, offering flexibility in engine compilation and compatibility with various platforms. It also supports streamlined native add-on development, NAPI support, and controlled upgrades for pushing runtime limits.

Rui Adorno emphasizes the power of dependency graphs in JavaScript projects, highlighting the underutilized graph structure and the importance of understanding metadata. The discussion delves into advanced dependency selector syntax, integrating query language with VLT client for updates and additions, running tests, and updating versions. The exploration of VLT client features includes secure package installs, phased installation processes, and DSS capabilities. Multi-project package filtering is expanded through DSS query language with a host local selector for benefits like script inspection and AI agents.

Marco Ippolito discusses the complexities of configuring NodeJS features and the need for a centralized config file. He explains the challenges of managing multiple flags for different features and demonstrates how to enhance developer experience by using specific flags to address TypeScript integration and testing procedures. The text discusses the challenges of managing multiple configuration flags in NodeJS and introduces the concept of using node options as an alternative to passing numerous flags directly after the node command. Node options provide a solution for managing configuration flags in NodeJS, simplifying the command structure and enabling the use of .mfile for configuration settings. I sent a PR to introduce the experimental config file feature in Node.js, including two major flags: experimental default config file and experimental config file, allowing customization of configuration settings through JSON files with version-matched schemas for IDE support and auto-completion. V8 flags in Node.js provide customization options, with a priority hierarchy among CLI, Node options, and config files, excluding no-op flags. Node 25 introduces new namespaces for test configuration, watch settings, and permissions, simplifying the configuration process and enhancing developer experience. Node.js JSON configuration offers convenience with a built-in JSON parser and plans for more namespaces and explanatory text in the JSON schema to simplify configuration management.

Introduction by Ed Silva, a Node.js core collaborator, discussing the significance of AI in 2026. Companies facing challenges in AI implementation, focusing on AI integration and the need for developer skills. Demonstrations of Node.js egg cooking using Hug and Face community and model inference with Hug and Face Transformers. Transformers JS extending NLP to computer vision and audio tasks, utilizing O-N-N-X format for model execution. Tasks and examples available in Transformers.js for NLP and computer vision, emphasizing model differentiation and execution processes. Optimization techniques for model download trade-offs, GPU utilization, and experimentation possibilities with models like Hugging Face.

Mike's enthusiasm for TypeScript, its widespread adoption, benefits in development, and its downside in terms of speed. Exploring TypeScript's slow performance in build speeds and its implications on project deployment in CI environments. Running TypeScript build commands and optimizing build speeds by managing project size. Reducing build times by breaking down large projects into smaller, isolated modules using monorepos. Exploring the limitations of path aliases and the importance of utilizing workspaces for efficient code isolation and faster TypeScript performance. Discussing project references efficiency in TypeScript builds and the impact on compiler and build speed. Discussing the impact of live evaluation on editor speed and how pre-build scripts can significantly improve completion time and overall typing experience. Avoid live evaluation for large projects, consider pre-builds. Discussion on TypeScript port to Go and its impact on future versions. Importance of optimizing project setup for speed and efficiency.

Introducing Node.js security overview, defining vulnerabilities, non-vulnerabilities, and preventive measures. Discussing Node.js API input validation, real vulnerabilities like HTTP server crashes, and the importance of Node.js security in widely used platforms. Discussing the importance of Node.js maintenance, the introduction of experimental permissions in Node.js 20, and the seatbelt philosophy to protect against malicious code. Discussing the importance of maintaining up-to-date Node.js versions and using tools like npx isMyNodeVulnerable for security checks. Discussing the importance of Node.js security releases, funding, and dependency vulnerability assessment for a safer Node.js environment. Using Node.js Dependency Vulnerability Assessment to evaluate and address potential vulnerabilities, ensuring automated security checks and updates for a safer Node.js environment. Automating Node.js security release process, including configuration files for dependencies, extensive testing across various environments, and creating security release issues and blog posts automatically. Support for various environments, extensive testing with over 55 suites and 5,000 unit tests, automation efforts to streamline processes, and the establishment of a maintenance threat model for enhanced security measures. For a single pull request, it takes six hours to run tests, automation efforts in progress, maintenance threat model to address security risks, permission model roadmap, ongoing discussions on security reports, and plans for the Node.js Collaborator Summit. Active community involvement in Node.js security development, four security releases from 2024 to 2026 addressing various vulnerabilities, end-of-life version strategy with Node.js 16 and 18 having high weekly downloads, and the approach to issuing CVEs for end-of-life versions. Node.js project's strategy adjustment for CVEs to include end-of-life versions, importance of Node.js threat model, trust boundaries, and developer responsibilities. Node.js protection against network data, upgrade recommendations for different Node.js versions, and upcoming changes in Node.js release schedule.

Vinicius Neves emphasizes practical considerations over speed comparisons when choosing a JavaScript runtime. The discussion delves into debugging and observability differences among Node, Dino, and Bun at 3 a.m. Metrics, error tracking, deployment, and serverless capabilities are explored across these runtimes. Serverless deployment challenges and considerations, including CICD integration and deployment target relevance, are highlighted. Serverless cold start performance is compared, with Bun leading, followed by Dino and Node. The talk also emphasizes hiring considerations, NPM compatibility issues, permission models, and testing workloads before committing to a runtime.

Welcome to a talk on testing Node.js apps in production using Test Container. Developing features, passing unit tests, and deploying can be smooth. Issues post-deployment due to integration gaps are common. Test Container library facilitates real-world integration testing by encapsulating services in Docker containers. Enhancing Docker Compose with Test Containers streamlines container management. Running tests with Redis Docker image and testing with Walkie Container demonstrate easy service swapping. Dynamic port allocation and image loading considerations for isolated infrastructure.

Using Node to simplify common tasks in local environments and CI. Customization hooks and extending Node for additional file types are discussed by Jacob Smith. Node's need to understand different file types for main.tsx. Avoid using bundlers for local environments. Extending Node with customization hooks for asynchronous work is discussed. Spinning up infrastructure for async work is crucial. Utilize single responsibility principle for handling specific functionalities like CSS modules and media URLs. Collection of loaders/customization hooks simplifies integration with Node for various tasks. You don't need extensive knowledge of the inner workings. A demonstration highlights the usefulness of this approach in web development. Using customization hooks can significantly improve testing efficiency and speed. Node can spin up quickly without needing additional time. Minimal configuration is required, focusing on CSS modules and media URLs. Small, encapsulated functionalities do one thing, not heavily interacting with each other. Alternatives like Vite and Vitest are popular but may not offer the same performance as Node alone. Customization hooks allow precise usage, unlike solutions with a broader scope. The size impact difference is significant, with tiny customization hooks compared to larger alternatives, showing similar performance in tests.