The Node.js ecosystem has been disrupted by self-replicating malware called Shai-Hulud.
In September 2025, researchers found that Shai-Hulud had infected more than 500 npm packages, including some from trusted maintainers. The worm did not just publish a few bad versions. It spread automatically, using stolen credentials to infect other packages owned by the same developer.
A friend in the IBM i vendor community asked me about Mapepire from a popularity and security perspective. He had read about Seiden Group’s support for the Mapepire Db2 for i driver. I have provided his questions and edited versions of my answers below.
Our 2023 article on searching source physical file members using the QShell grep command showed grep’s potential. In practice, while we found QShell grep to be flexible, we also experienced slow performance and occasional errors.
Now, our own Calvin Buckley has built an improved grep command called pfgrep to search traditional IBM i source physical file members. Quick and reliable, pfgrep is also free and open source.
A few years ago I introduced you to my QShell on i utility – QSHONI. QSHONI makes it easy for traditional CL, RPG, and COBOL programs to call Python utilities and other QShell/PASE utility programs (PHP, Node, Java, etc.) and directly use their output. QSHONI opened up a whole new world of integrations to open-source apps from traditional IBM i applications.
I keep thinking I will run out of interesting things to add to the library, but the ideas keep on flowing.
Pairing open source with traditional IBM i programs works great for APIs, web, and mobile applications. But how do you stay on top of your business’s requirements for speed and scalability?
OCEAN User Group recently asked Alan to help answer that question. In the recording of their November meeting (also linked from the graphic below), he covers:
Since IBM announced Yum support for installing the IBM i Db2 ODBC driver, as documented in our 2022 tutorial, users can update their driver more easily.
To help users determine what’s changed, IBM maintains a list of fixes and enhancements for each IBM i ODBC driver release.
IBM has delivered a fix for an issue with the libpq (PostgreSQL) package. The libpq RPM installer script had a subtle issue where the symbolic links did not get created correctly. IBM i users saw warnings like these:
A few years back I created the QShell on IBM i (QshOni) project to allow QShell/PASE (open source) apps to be more easily integrated and used with traditional IBM i job streams written in RPG and CL. Since then, many developers have adopted QshOni to utilize their open source apps in conjunction with their classic traditional apps.
Recently I added several new commands to QshOni to make living the PASE life even easier for RPG developers. Today’s focus will be on the QSHCALL command.
As we mentioned in our article on installing ODBC via yum, the latest IBM i open source packages require new repositories.
A notable example is Node.js v20. When we hear users say, “I don’t see Node.js v20 listed in available packages, and yum returns ‘No package nodejs20 available‘,” the reason invariably is that the new repositories, ibmi-base and ibmi-release, have not been installed.
A client asked about a vulnerability found in libwebp, which is used by PHP’s image-handling gd extension.
My first step was to find a reputable source for details. According to this trusted article about the vulnerability, the issue affected only libwebp versions 1.3.1 and earlier. I checked our own system and found we had a patched version from IBM, so we were safe. The client was, too.
Here is the procedure you can use for checking the version of this or any other open source package on IBM i. Read more →