TypeScript.fm - The Friendly Show for TypeScript Developers

The Grinch Stole MongoDB, a Backend Library Called Vla, and Strongly-typed Event Emitters | News | Ep 50

Jan 6, 2026

This week, learn about a Christmas-day MongoDB exploit dubbed MongoBleed and its risks. Discover a new backend library called Vla that aims to simplify TypeScript development. The community discusses strongly-typed events in game development, plus highlights include templates for React Native and js-draw for canvas work. There’s also a look at a major Color.js update and insights on gameplay trends as the hosts reflect on their gaming experiences over the holidays.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

MongoBleed Exposed Decade-Old Memory Secrets

The MongoBleed flaw leaked in-memory MongoDB secrets by exploiting a zlib buffer handling bug.
Public-facing MongoDB servers are highly vulnerable and require urgent patching and auditing.

ADVICE

Keep MongoDB Off Public Networks

If you run MongoDB, avoid exposing instances publicly and apply patches promptly.
Treat internal-only deployment as a strong mitigation while you update and audit servers.

ADVICE

Monitor The Upcoming Node.js Patch

Watch for the Node.js security release scheduled for January 7 and patch when it lands.
Expect possible delays and prioritize testing before rolling to production.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

News for the weeks of December 22 and 29, 2025: MongoDB exploit drops on Christmas day in true Grinchy fashion, a new backend library called Vla that is far from blah, and starter templates for your next React Native app. From the community: NodeTLV keynote, strongly-typed events in gamedev, and a 6-hour deep dive into Doom in TS.

Sponsored by Excalibur.js
Excalibur.js is the free and open source friendly TypeScript 2D game engine for the web. Learn to make web games with TypeScript or JavaScript! Excalibur comes out-of-the-box with everything you need, like physics, sprites, animations, sound effects, and first-party plugins for popular 2D gamedev tools.

Homepage and Docs: https://excaliburjs.com
Make Your First Game in 10 Minutes
Join the Discord: https://discord.gg/9UemP985Uy

Chapters

(00:00) - Welcome to the New Year
(07:52) - News: The Grinch Stole Your Secrets with MongoBleed
(10:39) - News: Node.js Security Release Expected January 7
(11:13) - Library Watch: Vla, the Missing Backend Library for TypeScript
(13:13) - Library Watch: macOS iMessage API SDK for TypeScript
(13:53) - Library Watch: React Native UI Templates
(14:51) - Library Watch: js-draw, a Canvas Drawing Library
(15:48) - Community Highlight: Strongly-typed Events in GameDev by Justin Young
(16:19) - Community Highlight: Flint, a Modern Linting Engine by Josh Goldberg
(16:42) - Community Highlight: Tooling Like It's 2025 by Josh Goldberg
(16:59) - Community Highlight: Major Color.js Update by Lea Verou
(19:18) - Community Highlight: Building Reusable Form Component Library with TanStack Form by Matt Huggins
(19:54) - Community Highlight: Static Hermes is Pretty Cool by Devon Govett
(21:11) - Community Highlight: DOOM in TS Types Stream by MiTS
(22:09) - Community Highlight: Solitaire in TypeScript by Oidoid
(22:57) - Community Highlight: Lo-fi Valley Engine by Leocast
(24:12) - Bleet of the Year
(25:26) - Cool Link: TypeScript Function Inlining
(25:49) - Cool Link: Pass Key Explainer
(29:58) - Cool Game: Outer Worlds 2
(31:26) - The Minnesota Long Goodbye

News

PSA: Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed
PSA: Node.js — Wednesday, January 7, 2026 Security Releases
Library Watch: Vla, a data layer that integrates into any TypeScript framework
Library Watch: TypeScript SDK for iMessage automation on macOS
Library Watch: React Native UI Templates
Library Watch: js-draw, pencil/pen drawing utilities for JS and Canvas

From the Community

Justin Young: Strongly Typed Events in GameDev
Josh Goldberg: NodeTLV Keynote, Tooling Like It's 2025
Josh Goldberg: What Flint Does Differently
Lea Verou: ColorJS major release
Matt Huggins: Building a Reusable Form Component Library with TanStack Form
Devon Govett: Static Hermes is pretty cool
MiTS: Doom TS deep dive stream
oidoid: Super Patience - Pixelated Solitaire in Typescript
Leoocast: Lofi Valley Engine - Make your dream Stardew Valley clone

Cool Links

Cool Watch: How Passkeys Work - Computerphile
Cool Tool: JoshuaKGoldberg/ts-function-inliner: TypeScript transformation that inlines calls to small functions
Cool Game: Outer Worlds 2, from the developers of Fallout: New Vegas and Avowed

Music
Seahorse Dreams by Kubbi (Spotify)