2025 marked a turning point for TypeScript's role in the JavaScript ecosystem, with TypeScript becoming GitHub's #1 language by contributor count. In August 2025, TypeScript became the most-used language on GitHub with 2,636,006 monthly contributors (+66% YoY), which GitHub called "the most significant language shift in more than a decade." Earlier in the year, Microsoft announced "Project Corsa"—a native port of the TypeScript compiler and language service to Go—targeting ~10x faster builds and major editor responsiveness gains. Initial benchmarks showed the VS Code codebase compiling in 7.5 seconds versus 77.8 seconds, while Playwright dropped from 11.1s to just 1.1s. The JavaScript-based toolchain continues through TypeScript 6.0.x as the ecosystem transitions; TypeScript 6.0 is planned as the last JS-based major release.

Simultaneously, the runtime environment underwent radical simplification. Node.js 23.6 and 22.18 enabled native TypeScript execution via "Type Stripping" by default, a feature that fundamentally bifurcated the language into "erasable" syntax (types, interfaces) and "runtime" syntax (enums, namespaces). By July 31, Node.js 22.18.0 enabled type stripping by default, Node removed warnings in v24.3.0/22.18.0, and later stabilized the feature in v25.2.0. However, this maturation occurred against a backdrop of severe security instability. The ecosystem faced sophisticated, automated threats across multiple npm compromises in 2025, alongside critical serialization vulnerabilities in frameworks like Next.js, such as the "React2Shell" RCE (CVE-2025-55182), a CVSS 10.0 vulnerability forcing a reevaluation of security models governing full-stack JavaScript.

Actions for 2026: audit npm dependencies affected by 2025 compromises and require publish-time 2FA plus granular tokens for maintainers where possible; enable --erasableSyntaxOnly to prepare codebases for Node.js native TypeScript execution; migrate enums to as const objects and namespaces to ES modules before adopting erasableSyntaxOnly / Node type stripping workflows; test TypeScript 7.0 preview (@typescript/native-preview) on CI pipelines to benchmark 10x compilation speedups; patch React/Next.js applications against CVE-2025-55182 and related RSC vulnerabilities; evaluate Biome v2 for type-aware linting with lower runtime overhead; plan migration strategy for TypeScript 6.0 planned deprecations and defaults under consideration (e.g., strict-by-default, automatic @types inclusion disabled).

January 29 — TypeScript 5.8 Beta released, introducing the --erasableSyntaxOnly flag to align with Node.js's experimental type-stripping mode. This beta introduced checked return types for conditional/indexed access types. Earlier in January, Node.js 23.6 unflagged the --experimental-strip-types option, enabling direct execution of TypeScript files without external loaders like ts-node or tsx. This feature, powered by the SWC-based Amaro library, removed the need for a build step in Node.js core for the first time.

February 28 — TypeScript 5.8 reached general availability, featuring granular checks for conditional return expressions and improved require() support for ESM under --module nodenext. The --erasableSyntaxOnly compiler option generates errors for features requiring runtime transpilation—specifically enums, namespaces, and parameter properties—marking them as incompatible with erasable-only execution. The team pulled back conditional return type checking to iterate further for version 5.9. The inaugural TypeScript La Conf took place in Paris, demonstrating growing interest in dedicated TypeScript events globally.

March 11 — In a landmark blog post titled "A 10x Faster TypeScript," Lead Architect Anders Hejlsberg unveiled "Project Corsa": porting the TypeScript compiler from TypeScript to Go. While Rust was considered, Go was selected for superior compilation speed, efficient garbage collection for AST structures, and structural similarity to the existing codebase that facilitated a line-by-line port.

April 15 — TC39 officially withdrew the Records and Tuples proposal after consensus to stop pursuing new primitives via Records & Tuples. Pinterest announced completing migration of 3.7 million lines of code from Flow to TypeScript in an 8-month effort, noting "the industry settled on TypeScript as the standard for JavaScript type checking."

May 28 — Angular released version 20.0.0, deepening Signals integration as the primary reactive primitive and simplifying the CLI by stopping generation of component suffixes. Microsoft released TypeScript Native Previews via npm as @typescript/native-preview, providing a tsgo executable alongside a VS Code extension.

June 17 — Biome v2 launched as the first JavaScript/TypeScript linter with type-aware rules that doesn't require the TypeScript compiler.

June 24 — Vite 7 was released, continuing the Environment API introduced in Vite 6 and adding the experimental buildApp hook.

July 8 — TypeScript 5.9 Beta officially announced, introducing cleaner default tsconfig.json and new editor-oriented features like expandable JSX hover info. Under the hood, 5.9 included compiler optimizations and support for the import defer proposal for lazy module evaluation.

July 31 — Node.js 22.18.0 released with native TypeScript execution support—developers can execute TypeScript with node file.ts without a separate compile step, though type checking still requires running tsc.

August 1 — TypeScript 5.9 released as stable, featuring Import Defer Support (Stage 3), revamped tsc --init generating minimal best-practice configuration, support for --module node20, editor improvements with expandable hovers, and performance tweaks for huge union types.

August 2025 — TypeScript surpassed Python to become the #1 language by contributor count (as later reported in Octoverse).

August 26 — The "s1ngularity" attack targeted the Nx build tool by exploiting a GitHub Actions CI vulnerability—specifically a misconfigured pull_request_target workflow—stealing credentials and publishing infected packages, with over 2,000 secrets/tokens leaked.

September 8 — The debug/chalk compromise hit the ecosystem after phishing targeted maintainers of high-profile packages like chalk and debug. Packages in the set totaled roughly 2.6 billion weekly downloads, and the payload was a crypto-stealing mechanism downloaded over 2.5 million times before discovery. (Datadog Security Labs; Aikido)

September 16 — The "Shai-Hulud" worm reused leaked tokens to compromise hundreds more packages via automation. CISA issued an advisory on September 23, prompting industry-wide audits and npm policy tightening around tokens and publish-time 2FA.

October 1 — React 19.2 released, introducing the <Activity> component for off-screen prioritization and useEffectEvent to solve dependency array pain points, aligning further with the concurrent rendering model.

October 28 — GitHub's Octoverse 2025 report released, confirming TypeScript's dominance and noting that 80% of new GitHub developers were using an AI coding tool within their first week.

November 6 — The first TypeScript AI Conference (tsconf.ai) held in San Francisco, featuring talks on building AI agents in TypeScript, using GPT-4 to refactor large codebases, and AI-driven browser automation. The slogan "Python trains, TypeScript ships" resonated with attendees. GitHub published a Q&A with Anders Hejlsberg discussing TypeScript's rise in the AI era.

November 19 — Angular v21 dropped, bringing Zoneless Change Detection as default, Signal-based Forms overhaul, AI-Powered Developer Tools including an AI hub (angular.dev/ai), and Angular MCP Server for AI-assisted code generation. VS Code 1.107 added experimental TypeScript 7 native language server support.

December 1 — Angular 21.0.2 patched CVE-2025-66412, a stored XSS vulnerability in DOM sanitization discovered by researcher AKiileX. Malicious SVG and MathML attributes could bypass Angular's sanitizer via <svg><animate href="javascript:..."> patterns.

December 2 — The TypeScript team published "Progress on TypeScript 7 – December 2025", confirming TypeScript 6.0 will be the last release on the old codebase and that TypeScript 7.0 targeting mid-2026 will use the Go-based compiler with planned breaking changes (strict-by-default, ES5 target dropped, AMD/UMD/SystemJS removed, classic Node module resolution eliminated). Type-checking reached near-complete parity with only 74 test case gaps out of 20,000.

December 3 — The React core team disclosed CVE-2025-55182, dubbed "React2Shell"—an unauthenticated RCE vulnerability in React Server Components rated CVSS 10.0. The flaw in RSC Flight payload decoding led to RCE; Next.js advisories listed fixes in the 15.x and 16.x lines (plus specific 14.x canary builds). Attackers could achieve RCE with a single HTTP request. Patches rushed out for React 19.0.1, 19.1.2, 19.2.1. Vercel deployed WAF rules to block malicious payloads.

Project Corsa moves the TypeScript compiler and language service to a Go port, targeting major performance and memory gains while signaling a disruptive toolchain transition. In parallel, Node’s type-stripping support enables direct .ts execution in core, and the --erasableSyntaxOnly flag formalizes a “just-JS-at-runtime” path that pushes enums/namespaces toward as const objects and ES modules. The new reality: faster compiles, but stricter runtime constraints and a migration path that favors erasable syntax.

TypeScript’s dominance is reinforced by default TS scaffolding across major frameworks and continued enterprise adoption. Framework updates (React 19.2, Angular 21, Vite 7 and Vite 8 with Rolldown) move the ecosystem toward faster builds and more consistent runtimes, while tooling shifts toward type-aware linting without TypeScript’s compiler (Biome v2) and stronger IDE performance via the Go language service. AI integrations are now standard: Google ADK, Angular’s AI hub and MCP server, and IDE copilots that make TS the default interface for codegen.

The npm ecosystem saw a chain of incidents (s1ngularity, debug/chalk, Shai‑Hulud) that exposed systemic weaknesses in maintainer auth and CI workflows. Security responses now emphasize granular tokens, publish-time 2FA, and stricter release policies. On the app side, React2Shell (CVE-2025-55182) and follow-on issues underscored the risks in RSC serialization, while Angular’s XSS and other runtime CVEs kept security upgrades at the top of 2025’s backlog.

TC39 withdrew Records & Tuples after the proposal failed to reach consensus, while Temporal began shipping in engines even as TypeScript’s standard libs still lack Temporal typings (track TypeScript issue #60164). The type-annotations proposal remains early-stage, but it frames the longer-term path: a JS runtime that can ignore type syntax while TS evolves as a superset. Combined with TypeScript 7’s upcoming breaking changes and API shifts, the standards story is about consolidation, stricter defaults, and fewer “magic” features at runtime.