⏰ npm Classic Tokens Deadline Nov 19 & PostgreSQL 13 EOL

URGENT: npm Classic Tokens Revoked November 19

Critical Action Required: All npm classic tokens will be permanently revoked on November 19, 2025, affecting developers, CI/CD pipelines, and automation workflows worldwide. npm disabled classic token creation on November 5, giving developers just 12 days to migrate.

Classic tokens lack granular permissions and modern security controls, granting broad access to your entire npm account. If compromised, attackers gain full package publishing rights, making them high-risk security liabilities in today's threat landscape.

Recommended Migration Path: npm strongly encourages adoption of trusted publishing (OIDC), which eliminates long-lived tokens entirely by using temporary, job-specific credentials from CI/CD providers like GitHub Actions, GitLab CI, or CircleCI. For manual operations, generate new granular access tokens with scoped permissions matching your specific needs.

Developers must update all automation, CI/CD pipelines, local configurations, and team workflows before the November 19 deadline to avoid package publishing disruptions. Check your ~/.npmrc files and environment variables immediately.

PostgreSQL 13 Reaches End-of-Life November 13

PostgreSQL 13 will officially reach End-of-Life (EOL) on November 13, 2025, just six days away. After this date, the PostgreSQL Global Development Group will stop releasing security patches and bug fixes for version 13, leaving systems vulnerable to newly discovered exploits.

Developers and database administrators running PostgreSQL 13 in production must upgrade to PostgreSQL 14, 15, 16, or the latest version 18 (which delivers 3x performance improvements with asynchronous I/O using io_uring). The PostgreSQL team follows a five-year support policy for each major version, making version 13 the next to sunset after being released in September 2020.

Upgrade Urgency: Security vulnerabilities discovered after November 13 will remain unpatched in PostgreSQL 13, creating critical risks for applications handling sensitive data, financial transactions, or user information. Plan your migration path now to minimize downtime and ensure compatibility testing before the deadline.

Recommended Action: Evaluate PostgreSQL 18 for the significant performance gains (3x faster with async I/O), or choose PostgreSQL 16 for a stable, well-tested LTS option. Test your application's compatibility with the new version in staging environments before production deployment.

GitHub Actions Expands to 50 Total Workflows

GitHub announced on November 6 that developers can now use up to 10 nested reusable workflows and call up to 50 workflows in total from a given workflow run, dramatically expanding CI/CD pipeline complexity capabilities. The previous limits were 4 nested and 20 total workflows, respectively.

This expansion enables enterprise teams to build more sophisticated automation architectures, supporting complex deployment pipelines, multi-environment testing strategies, and modular workflow components. Large monorepos and microservice architectures benefit most from the increased nesting depth and total workflow capacity.

Developers can immediately leverage these new limits without configuration changes. GitHub Actions automatically supports the expanded capabilities for all repositories, enabling teams to refactor complex workflows into more maintainable, modular components.

TypeScript Overtakes Python as #1 Language on GitHub

In the most significant language shift in over a decade, TypeScript overtook both Python and JavaScript in August 2025 to become the most used language on GitHub, with 2,636,006 monthly contributors (+1.05M year-over-year, +66.6% growth). This milestone marks TypeScript's evolution from a niche alternative to JavaScript into the dominant language for modern web development.

The surge is driven by TypeScript's superior developer experience with type safety, IDE autocomplete, refactoring tools, and compile-time error detection. Major frameworks including React, Angular, Vue, Next.js, and Svelte now default to TypeScript, while AI coding assistants like GitHub Copilot generate more accurate code suggestions for typed languages.

Node.js Integration: TypeScript now runs out of the box in Node.js and is expected to be stable by Node 24 LTS, eliminating the need for separate compilation steps or ts-node workarounds. This native support removes one of the last remaining barriers to TypeScript adoption in backend development.

Python saw a 7 percentage point increase from 2024 to 2025, maintaining its position as the go-to language for AI, data science, and backend development. However, TypeScript's developer velocity, ecosystem maturity, and framework adoption have propelled it to the #1 spot for the first time in GitHub's history.

Windows Zero-Days Patched: CVE-2025-24990, CVE-2025-59230

Two Windows zero-days under active exploitation were disclosed and patched in Microsoft's October 2025 Patch Tuesday update. CVE-2025-24990 (CVSS 7.8) affects the Windows Agere Modem Driver, while CVE-2025-59230 (CVSS 7.8) targets the Windows Remote Access Connection Manager (RasMan). Both enable elevation of privilege attacks.

The Agere driver vulnerability is particularly widespread, shipping with every version of Windows up to and including Server 2025. CISA's Known Exploited Vulnerabilities (KEV) catalog required federal agencies to apply patches by November 4, 2025 (deadline has now passed for government systems).

VMware Zero-Day: Additionally, CVE-2025-41244 (CVSS 7.8) affects VMware Aria Operations and VMware Tools, allowing attackers to attain root-level privileges. Activity is attributed to China-linked threat actor UNC5174. Federal agencies must apply mitigations by November 20, 2025.

Enterprise IT teams should prioritize patching Windows systems and VMware infrastructure immediately. These actively exploited vulnerabilities pose significant risks to organizations, particularly in sectors handling sensitive data or critical infrastructure.

OpenAI-AWS $38B Cloud Deal Ends Microsoft Exclusivity

OpenAI signed a $38 billion infrastructure deal with Amazon Web Services, ending Microsoft's exclusive cloud partnership and marking a strategic shift in AI infrastructure dependency. AWS will provide hundreds of thousands of Nvidia GPUs to support OpenAI's training and inference workloads.

The deal diversifies OpenAI's infrastructure risk and provides access to AWS's global data center footprint, including regions where Microsoft Azure has limited presence. OpenAI will continue using Azure for certain workloads, but AWS becomes the primary provider for new capacity expansion.

This partnership reflects the massive capital requirements of frontier AI development, with leading labs requiring billions in compute infrastructure to train GPT-5 class models. AWS gains a strategic foothold in the AI race, while OpenAI secures the hardware capacity needed for future model generations.

AI Dominates VC: $192.7B in 2025, 53% of All Funding

Venture capitalists poured $192.7 billion into AI startups so far in 2025, setting new global records and making 2025 the first year where more than half of total VC dollars went into AI. AI startups received 53% of all global venture capital in the first half of 2025, jumping to 64% in the U.S. market.

Mega-rounds ($100M+) dominate the landscape, with 60% of global and 70% of U.S. venture capital going to nine-figure funding rounds. Recent highlights include OpenAI's $40B round ($300B valuation), Meta's $14.3B investment in ScaleAI (49% stake, $29B valuation), and Mistral AI's €1.7B Series C (€11.7B valuation).

Canva AI Integration: Canva's new specialist AI model, trained specifically on design, will be available inside ChatGPT, Claude, and Gemini, demonstrating the convergence of vertical AI tools with general-purpose assistants. This partnership model may define how specialized AI capabilities reach users through established platforms.