Dev Digest — September 2025

Node.js v25 is scheduled for October 15, 2025 (commit cutoff 2025‑09‑15). Teams should run CI against the new major, validate native modules, and prepare canary deployments.

WebAssembly 3.0 finalised (Sep 17, 2025): 64‑bit address space, multiple memories, host garbage collection, JS string builtins and SpecTec for a verifiable spec — a step change for compiling high‑level languages and server‑side Wasm.

NixOS 25.05 (Warbler) is out with Linux 6.12 LTS/6.14 kernels, GNOME 48, LLVM 19/GCC 14, a 7,000+ package refresh and an experimental nixos-rebuild-ng rewrite — what this means for reproducible builds and CI.

Microsoft published TypeScript Native Previews: a Go‑based compiler/language service (tsgo) that delivers ~10× type‑checking and editor-load speedups on large codebases — try the preview but test for behavioral diffs.

Microsoft’s Visual Studio 2026 Insiders (Sept 2025) ships broad AI-first features — adaptive paste, bring‑your‑own‑model Chat, a Profiler Copilot Agent, BenchmarkDotNet templates and improved CMake/C++ profiling — shifting how performance, debugging and code composition are done inside the IDE.

Prisma will promote its Query Compiler—moving query execution from a Rust binary into a TypeScript query compiler and driver adapters—to GA in September 2025, eliminating native query-engine binaries and enabling much simpler serverless, edge, and bundling workflows.

Git 2.51 (released Aug 18, 2025) lays the concrete groundwork for Git 3.0 by preparing SHA‑256 as the default hash and reftable as the default reference backend while delivering MIDX, packing, and stash improvements that materially affect large repositories, CI, and tooling.

HubSpot announced a consolidated Developer Platform (Sep 3, 2025) — unified Developer Projects, Agent Tools for Breeze agents, richer UI extensions, CI/CD and local-dev improvements, and CLI migration tooling for partners and app builders.

Android will require verified developer identities for apps installed on certified devices (including sideloaded and third‑party store apps); early access in Oct 2025, registration opens Mar 2026, regional enforcement begins Sep 2026.

A malicious npm package impersonating an esbuild binary (esbuild-linux-arm32) was flagged in August 2025; check lockfiles, remove unexpected esbuild-* packages, and rotate secrets if present.

Azure announced Azure Functions Proxies will be unsupported after 2025‑09‑30; teams still using Proxies must inventory and migrate to a supported API surface (APIM, Front Door, or a lightweight reverse proxy) immediately.

GCC 15 (notably 15.1 with 15.2 bug‑fix followup) ships C23 as the default, stronger diagnostics/SARIF support, incremental LTO, improved OpenMP offload and many C/C++/tooling quality‑of‑life changes — update CI and pin language modes before upgrading.

Google released a security update (Sep 17–18, 2025) that patches CVE‑2025‑10585 — a V8 type‑confusion zero‑day exploited in the wild — plus three other high‑severity browser engine bugs. Update Chrome and any CI/headless browser images immediately.

npm now supports Trusted Publishing via OpenID Connect (OIDC) in CI/CD: remove long‑lived npm tokens from workflows, restrict publishes to specific pipelines, and reduce the risk from leaked automation credentials.

PostgreSQL 18 Release Candidate 1 is out (Sep 4, 2025); it introduces an asynchronous I/O subsystem (io_uring on Linux), virtual generated columns by default, uuidv7, OAuth auth support, richer EXPLAIN data, data‑checksums enabled for new clusters, and a new wire protocol (3.2). GA is scheduled for Sep 25, 2025.

On Sep 8, 2025 a maintainer account was phished and malicious versions of widely used npm packages (chalk, debug, ansi‑styles, etc.) were published; the payload targets browser wallet APIs and could silently rewrite crypto transaction destinations.

OpenSSL 3.5 (LTS) adds server‑side QUIC, PQC algorithms (ML‑KEM, ML‑DSA, SLH‑DSA), EVP_SKEY opaque keys and new TLS configurability — a practical upgrade path for servers, proxies and runtimes that depend on OpenSSL.

On Aug 26, 2025 attackers published malicious Nx packages to npm by exploiting a GitHub Actions workflow injection and stealing an NPM publishing token; packages ran postinstall hooks that scanned systems and exfiltrated data using local AI CLIs.

Apple published iOS 26 / iPadOS 26 / macOS 26 beta 9 along with Xcode 26 beta 7 (Sept 2, 2025). Mobile and CI teams should validate apps and update build images before the public release window.

Firefox 141 (stable) ships the WebGPU API on Windows, making high‑performance GPU compute and rendering broadly available to web developers.

A new paper introduces NodeShield, a runtime enforcement system that uses SBOMs extended with per‑dependency capabilities (CBOM) to prevent supply‑chain abuses in Node.js with ~98% effectiveness and <1ms overhead.

Java 25 (Oracle JDK 25) is available (Sep 16, 2025): 18 JEPs that simplify Java for scripting, extend pattern matching to primitives, advance structured concurrency and scoped values, add AOT ergonomics/profiling, vector API improvements, and post‑quantum crypto readiness — Oracle offers extended support and OCI performance integrations.

Canonical targets upstream Linux 6.17 for Ubuntu 25.10 and warns the distribution may ship with a release‑candidate kernel if the stable upstream kernel misses the distro freeze.

A moderate integer‑overflow in SQLite's FTS5 extension can lead to out‑of‑bounds writes from crafted DB files or attacker queries; upstream patched and distro packages rolling updates — developers must patch or rebuild.

Go 1.25 (released Aug 12, 2025) brings DWARF5 debug output, a spec‑correct nil‑pointer fix that can cause previously‑silent programs to panic, an experimental jsonv2 implementation for much faster decoding, new testing and vet tooling, and a few build/runtime defaults that affect CI and debugging.

Kubernetes v1.34 graduates Dynamic Resource Allocation to GA and adds kubelet-projected ServiceAccount tokens for image pulls plus pod-level resource requests — immediate implications for GPU/accelerator workloads, image-pull security, and autoscaling.

Rust 1.90 (stable, expected Sep 18, 2025) makes LLD the default linker for x86_64-unknown-linux-gnu — big link-time reductions for Linux builds; opt-out and mitigation steps included.

Edge now offers developer‑preview Prompt and Writing Assistance APIs that let web apps call an on‑device Phi‑4‑mini model for generation, summarization and structured outputs — low‑latency, private LLM features inside the browser.

Docker Engine v25 changes BuildKit's systemd ulimit behavior, adds OpenTelemetry tracing, CDI device support, and other build/runtime features that can affect CI and containerized builds.