Go Mercedes!
Aaron Goldenthal's avatar Mercedes AMG Petronal Formula 1 Team emblem Aaron Goldenthal

The Year in Review 2025

State of the Blog

As usual, it's been another busy year, focused mostly of sustaining of my existing projects and setting a new record with almost 500 software releases. I've continued development of new, and adoption of some existing, tools and techniques to improve productivity and software quality. In addition, I joined the Pa11y team where work has ramped up again resulting in several needed, major releases.

Blog posts #

I didn't start this year with any specific goals for blog posts because I was so busy with other projects that I only managed two posts. They're related to subsequent topics in this post and are linked there.

Software projects #

This year was busy with software development rather than writing, with a handful of new items to note.

I joined the Pa11y team #

Last year, with some uncertainty in support for the Pa11y projects, I had released forks of both pa11y and pa11y-ci as interim fixes until the long-term plans of the team were better understood. In 2025, I, and several others, joined the Pa11y team and there has been a resurgence in development. This led to two major releases (and a few minor/patch releases as well):

  • The release of pa11y@9.0.0, which was the first major release in over a year.
  • The release of pa11y-ci@4.0.0. This was the first major release upgrading from pa11y@6.2.3 (released in 2022) to pa11y@9.0.0.

Work is ongoing, so expect continued support and enhancements this year. A significant upgrade to the axe runner, improving the treatment of issues requiring manual review (see PR #685), is close to release.

My open source software projects #

This year was full of a lot of sustaining work on existing projects, with a few new and noteworthy items.

In 2025 I started four new projects, and between those projects and my other existing projects shipped 479 releases (63 major, 131 minor, 276 patch), which is a new record. Even though many of those were routine sustaining updates (refactoring, security patches, dependency updates, etc.), it reinforces that continuous delivery practices and extensive automation do improve productivity and the ability to confidently release software.

Full list of 2025 new projects
Project Description
Container Images / Kaniko A project to build container images for Chainguard's kaniko fork.
Container Images / PSScriptAnalyzer A container image to run lint and SAST analyses on PowerShell scripts with PSScriptAnalyzer.
Tests / Container Multi-Platform Test A multi-platform container project to test CI jobs.
Tests / Node Web Test A Node.js project to test CI pipeline jobs for web pages/applications.
Full list of 2025 software releases
Project Releases
Container Images / Cloc 9 (2.0.1, 2.0.0, 1.6.2, 1.6.1, 1.6.0, 1.5.0, 1.4.1, 1.4.0, 1.3.1)
Container Images / Go Test 24 (3.0.1, 3.0.0, 2.9.9, 2.9.8, 2.9.7, 2.9.6, 2.9.5, 2.9.4, 2.9.3, 2.9.2, 2.9.1, 2.9.0, 2.8.3, 2.8.2, 2.8.1, 2.8.0, 2.7.3, 2.7.2, 2.7.1, 2.7.0, 2.6.1, 2.6.0, 2.5.8, 2.5.7)
Container Images / Image Tools 24 (3.0.3, 3.0.2, 3.0.1, 3.0.0, 2.2.0, 2.1.1, 2.1.0, 2.0.0, 1.8.2, 1.8.1, 1.8.0, 1.7.3, 1.7.2, 1.7.1, 1.7.0, 1.6.0, 1.5.1, 1.5.0, 1.4.1, 1.4.0, 1.3.0, 1.2.4, 1.2.3, 1.2.2)
Container Images / Kaniko 10 (1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.5, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0)
Container Images / PSScriptAnalyzer 4 (1.2.0, 1.1.0, 1.0.1, 1.0.0)
Container Images / Puppeteer 9 (16.0.1, 16.0.0, 15.2.0, 15.1.2, 15.1.1, 15.1.0, 15.0.0, 14.2.0, 14.1.0)
Container Images / Syft 9 (2.0.0, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0, 1.2.8, 1.2.7, 1.2.6)
Container Images / Vale 29 (3.8.2, 3.8.1, 3.8.0, 3.7.10, 3.7.9, 3.7.8, 3.7.7, 3.7.6, 3.7.5, 3.7.4, 3.7.3, 3.7.2, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.5, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.1, 3.4.0, 3.3.6, 3.3.5, 3.3.4, 3.3.3, 3.3.2)
Node / Stylelint Config Standard 3 (21.0.1, 21.0.0, 20.0.0)
References / GitLab Group Project Summary 5 (2.0.0, 1.1.3, 1.1.2, 1.1.1, 1.1.0)
Tests / Container Multi-Platform Test 4 (1.1.1, 1.1.0, 1.0.1, 1.0.0)
Tests / Container Test 9 (1.2.1, 1.2.0, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0, 1.0.6, 1.0.5)
Tests / Node CJS Test 5 (3.0.3, 3.0.2, 3.0.1, 3.0.0, 2.1.0)
Tests / Node ESM Test 8 (2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.1, 2.0.0, 1.1.1, 1.1.0)
Tests / Node Web Test 1 (1.0.0)
Bin Tester 2 (7.0.1, 7.0.0)
CI Logger 2 (8.0.1, 8.0.0)
Config Files 15 (13.3.1, 13.3.0, 13.2.0, 13.1.0, 13.0.0, 12.2.0, 12.1.0, 12.0.1, 12.0.0, 11.5.1, 11.5.0, 11.4.0, 11.3.0, 11.2.1, 11.2.0)
Curl jq 8 (4.0.1, 4.0.0, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.2, 3.1.1)
Dependency Check 13 (4.5.2, 4.5.1, 4.5.0, 4.4.5, 4.4.4, 4.4.3, 4.4.2, 4.4.1, 4.4.0, 4.3.0, 4.2.2, 4.2.1, 4.2.0)
Docker Sokrates 7 (4.0.0, 3.0.10, 3.0.9, 3.0.8, 3.0.7, 3.0.6, 3.0.5)
ESLint Config Standard 16 (43.0.0, 42.0.1, 42.0.0, 41.0.0, 40.0.0, 39.0.2, 39.0.1, 39.0.0, 38.0.1, 38.0.0, 37.1.0, 37.0.0, 36.0.0, 35.0.1, 35.0.0, 34.0.0)
GitLab CI Env 6 (11.3.0, 11.2.0, 11.1.0, 11.0.0, 10.3.0, 10.2.0)
GitLab CI Templates 32 (49.1.0, 49.0.0, 48.1.0, 48.0.0, 47.0.0, 46.0.1, 46.0.0, 45.0.0, 44.5.0, 44.4.0, 44.3.0, 44.2.0, 44.1.0, 44.0.0, 43.1.0, 43.0.0, 42.0.0, 41.0.0, 40.0.0, 39.0.3, 39.0.2, 39.0.1, 39.0.0, 38.3.1, 38.3.0, 38.2.0, 38.1.2, 38.1.1, 38.1.0, 38.0.0, 37.5.0, 37.4.0)
GitLab PMD CPD 25 (3.0.2, 3.0.1, 3.0.0, 2.10.6, 2.10.5, 2.10.4, 2.10.3, 2.10.2, 2.10.1, 2.10.0, 2.9.0, 2.8.2, 2.8.1, 2.8.0, 2.7.3, 2.7.2, 2.7.1, 2.7.0, 2.6.0, 2.5.6, 2.5.5, 2.5.4, 2.5.3, 2.5.2, 2.5.1)
GitLab Pa11y CI 39 (13.3.1, 13.3.0, 13.2.1, 13.2.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.6.1, 12.6.0, 12.5.1, 12.5.0, 12.4.1, 12.4.0, 12.3.2, 12.3.1, 12.3.0, 12.2.1, 12.2.0, 12.1.1, 12.1.0, 12.0.0, 11.7.3, 11.7.2, 11.7.1, 11.7.0, 11.6.1, 11.6.0, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.0, 11.3.4, 11.3.3, 11.3.2, 11.3.1, 11.3.0)
GitLab Releaser 4 (9.0.1, 9.0.0, 8.0.6, 8.0.5)
GitLab Semgrep Plus 24 (11.1.0, 11.0.0, 10.5.1, 10.5.0, 10.4.1, 10.4.0, 10.3.0, 10.2.5, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.4, 10.0.3, 10.0.2, 10.0.1, 10.0.0, 9.5.0, 9.4.0, 9.3.0, 9.2.0, 9.1.4)
GitLab Webhook Renovate Proxy 13 (1.0.3, 1.0.2, 1.0.1, 1.0.0, 0.12.2, 0.12.1, 0.12.0, 0.11.0, 0.10.0, 0.9.0, 0.8.1, 0.8.0, 0.7.0)
Lighthouse 55 (8.2.3, 8.2.2, 8.2.1, 8.2.0, 8.1.3, 8.1.2, 8.1.1, 8.1.0, 8.0.2, 8.0.1, 8.0.0, 7.17.1, 7.17.0, 7.16.3, 7.16.2, 7.16.1, 7.16.0, 7.15.4, 7.15.3, 7.15.2, 7.15.1, 7.15.0, 7.14.4, 7.14.3, 7.14.2, 7.14.1, 7.14.0, 7.13.1, 7.13.0, 7.12.3, 7.12.2, 7.12.1, 7.12.0, 7.11.1, 7.11.0, 7.10.3, 7.10.2, 7.10.1, 7.10.0, 7.9.0, 7.8.2, 7.8.1, 7.8.0, 7.7.0, 7.6.2, 7.6.1, 7.6.0, 7.5.0, 7.4.2, 7.4.1, 7.4.0, 7.3.2, 7.3.1, 7.3.0, 7.2.3)
Pa11y CI CLI Summary Reporter 2 (5.0.1, 5.0.0)
Pa11y CI HTML Reporter 2 (8.0.1, 8.0.0)
Pa11y CI Reporter Runner 5 (6.0.2, 6.0.1, 6.0.0, 5.0.5, 5.0.4)
Pa11y HTML Reporter Plus 2 (5.0.1, 5.0.0)
Pagean 41 (15.3.1, 15.3.0, 15.2.1, 15.2.0, 15.1.0, 15.0.1, 15.0.0, 14.10.1, 14.10.0, 14.9.1, 14.9.0, 14.8.0, 14.7.1, 14.7.0, 14.6.0, 14.5.1, 14.5.0, 14.4.1, 14.4.0, 14.3.0, 14.2.3, 14.2.2, 14.2.1, 14.2.0, 14.1.1, 14.1.0, 14.0.2, 14.0.1, 14.0.0, 13.6.0, 13.5.3, 13.5.2, 13.5.1, 13.5.0, 13.4.0, 13.3.2, 13.3.1, 13.3.0, 13.2.1, 13.2.0, 13.1.1)
Releaselog 4 (7.0.1, 7.0.0, 6.0.3, 6.0.2)
Renovate Config 7 (4.1.1, 4.1.0, 4.0.1, 4.0.0, 3.0.1, 3.0.0, 2.0.0)
Vale Rules for GitLab CI Utils 2 (1.0.7, 1.0.6)

The significant projects and events for the year are summarized in the subsequent sections (ordered predominantly by significance).

NPM supply chain security #

This year saw numerous, large-scale NPM supply chain attacks. Given the ease of publishing, huge catalog of packages, casual treatment of transitive dependencies, and large developer base, it's an attractive target. I was not directly impacted, but it did open the community's eyes to the risks and force mitigating actions.

In July, NPM introduced Trusted Publishing (docs, blog post) to significantly improve the integrity of the publishing process. This eliminates the need for publishing tokens that could be compromised (which we saw this year) and focuses on publishing from CI/CD workflows on trusted platforms. Individual NPM packages must register a specific GitLab or GitHub project as the source, and the CI pipeline or workflow file with the publishing script, then that CI job from that project on that platform can use the platform OIDC to authenticate to NPM and publish projects. This, along with the elimination of long-lived publishing tokens, are significant improvements to the integrity of NPM publishing, although there's still more improvements that could be made. For my part, all of my published NPM packages have moved to trusted publishing.

In addition, it was observed that the large user base, as well as an ever-growing list of security companies, do fairly quickly identify compromised packages. Therefore, allowing some delay after publishing, but before adoption, has been shown to allow community identification of many compromised packages and take mitigating actions. With that, tools like Renovate have adopted a default minimumReleaseAge setting for NPM packages requiring several days for this to occur before updating, and I've adopted that philosophy in my Renovate config presets, which are used in all of my projects.

Type stripping is stable in Node 24 #

I don't think this got nearly as much discussion as it deserved, but with the release of Node 24.12.0 (release notes), the ability for Node to natively execute TypeScript files through type-stripping, without a build or transpilation step, is now stable in the Active LTS release (as well as Node 25, the current release). As a package author, I've published types with libraries for years, but have been resistant to fully adopting TypeScript in those packages, instead leveraging JSDoc types, because of the added overhead and complexity of a build step. The Node implementation does impose some limitations on the use of a few TypeScript features, although one (like me) could argue that these features go beyond pure typing and create new JavaScript when transpiled, so this limitation is not only tolerable, it's desirable. While it will be some time before this is stable in all supported Node versions (April 2027 by my check of the Node release schedule, which is only 15 months away), it's a significant step forward for the ecosystem.

With that, late this year I converted one CLI tool to TypeScript (see this release), and plan to continue as appropriate in 2026. As with implementing any significant new capability, I starting with setting up robust automated tooling, which in this case was an updated ESLint configuration with TypeScript parsing and rules. Given my opinionated stance on linting, it did take some time to get through all of the typescript-eslint rules and setup configurations that properly supported JavaScript (CJS and ESM) and TypeScript files, but the end result is a highly opinionated configuration that I'm happy with, which was published as my last release of the year (see this release).

Chainguard's Kaniko container image #

In mid-2025, after virtually no support for a year, Google officially archived Kaniko, a tool introduced in 2018 to allow building container images in Kubernetes or other containerized environments since it did not rely on the Docker daemon. Shortly afterwards, the Chainguard team, including several of the original Kaniko authors, announced that they had created and were maintaining a fork as a replacement.

While they are maintaining that fork, and have had six releases this year, they are only maintaining the code, not providing any binary artifacts, including a container image. So, I created this Kaniko project, which is simply a CI pipeline and infrastructure to build, test, and deploy a Kaniko container image (built from Kaniko's Dockerfile) to GitLab's container registry (it doesn't contain the Kaniko code, that's pulled from the Chainguard fork repository in CI). You can read the full story in this blog post.

Renovate responsiveness to GitLab repository actions #

My last project of 2024 was the GitLab Webhook Renovate Proxy, which is a Cloudflare Worker that intercepts GitLab merge request and issue webhooks and forwards those that should trigger a Renovate pipeline to re-analyze a project. This year is saw extensive use, and reinforced how effective it is in improving the responsiveness of Renovate running in GitLab CI (beyond simply running scheduled Renovate pipelines). A summary with additional detail is available in this blog post.

Mutation testing #

Last, but certainly not least, I have begun experimentation with mutation testing, incorporating StrykerJS into several of my projects to evaluate its effectiveness in improving test coverage and quality. From their website:

Mutation testing introduces changes to your code, then runs your unit tests against the changed code. It is expected that your unit tests will now fail. If they don't fail, it might indicate your tests do not sufficiently cover the code.

Bugs, or mutants, are automatically inserted into your production code. Your tests are run for each mutant. If your tests fail then the mutant is killed. If your tests passed, the mutant survived. The higher the percentage of mutants killed, the more effective your tests are.

So far it has proved easy to set up and effective at finding gaps in test coverage, although it can be slow given the numerous variations of the test suite that are run.

GitLab CI template tests #

Last year, the GitLab CI Templates project's CI pipeline was updated to trigger multi-project downstream pipelines to allow enhanced testing of templates in the appropriate project types. That was augmented this year with several new test projects to cover additional scenarios including multi-platform container images (which had new jobs and collections added in 2025) and web application testing (which was previously untested). While there are still a few jobs that are not currently tested, this testing now covers the vast majority of the GitLab CI templates project.

Contributions to other open source projects #

I also made contributions to a few other open source projects this year, including knip and Chainguard's fork of kaniko.

Looking forward to 2026 #

Some of the things I'm looking forward to or will hopefully be resolved in 2026 include:

  • The Node.js Release Working Group team has been iterating on proposed changes to the Node.js release and support philosophy. It's not set in stone yet, but looks like it may take effect in 2026.
  • This year included some evaluation of container image hardening techniques, which will continue in 2026. This includes migrating to hardened container base images (for example Docker Hardened Images, Chainguard Images, Google Distroless Images, or others) and container image and software bill-of-materials (SBOM) signing (including container registry support, which is evolving, although very slowly).
  • Continuing to migrate projects to leverage mutation testing and investigate options for improving CI pipeline performance.
  • The future of Kaniko, as it was this year, is a little uncertain. In addition to the Chainguard fork, a community fork has been getting some attention. It doesn't have corporate backing like the Chainguard fork, but it has been more actively developed this year, including security/bug fixes as well as adding missing capabilities (the --annotation flag, for example). I'll be watching both to see how they evolve this year.