The Node.js Update #Week 8 of 2019. 22 February

Below you can find a collection of the most important Node.js updates, tutorials & announcements from this week — curated by RisingStack’s Node.js Developers.


February 2019 Node.js Security Releases

The Node.js project will release new versions of all supported release lines on, or shortly after, Wednesday, February 27th, 2019 UTC. These releases will incorporate at least two security fixes specific to Node.js, the highest severity of which is ‘low’.

Releases for all actively supported release lines will be made available to fix the following vulnerabilities.

All versions of Node.js 6 (LTS “Boron”) are vulnerable to:

  • 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400) vulnerability
  • 1 Misinterpretation of Input (CWE-115) vulnerability
  • Possible update to OpenSSL 1.0.2r depending on assessed impact

All versions of Node.js 8 (LTS “Carbon”) are vulnerable to:

  • 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400) vulnerability
  • 1 Misinterpretation of Input (CWE-115) vulnerability
  • Possible update to OpenSSL 1.0.2r depending on assessed impact

All versions of Node.js 10 (LTS “Dubnium”) are vulnerable to:

  • 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400) vulnerability
  • 1 Misinterpretation of Input (CWE-115) vulnerability

All versions of Node.js 11 (Current) are vulnerable to:

  • 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400) vulnerability
  • 1 Misinterpretation of Input (CWE-115) vulnerability
  • Possible update to OpenSSL 1.1.1b depending on assessed impact

Node.js Selected by Google for .dev Top Level Domain Early Access

Back in November, the world received some exciting news from Google that the .dev top level domain would be available in February. Now that the day has come, and Google has rolled out this new option for developers, we are excited to be on the list of early access projects. You can now find Node.js guide content at Nodejs.dev. You will still be able to find Node.js Foundation info as well as the full Node.js website at Nodejs.org.


npm on the Security Risks of Changing Package Owners

The average npm package has over 2000 dependencies, so the worry over malware makes a lot of sense.

“We’ve had a few situations recently which illustrate that people are a layer beneath the code and the actions of maintainers have a direct impact on the security of the ecosystem. Specifically event-stream and koa-router.”

  • In the case of event-stream, package maintainership was turned over to another person and that person acted in bad faith.
  • With koa-router, the package maintainer first offered the module for sale to support their work. npm support reached out to the original maintainer to let them know that this behavior was against our ToS, but in the end the package was transferred to a new maintainer. No malicious code has been published to date to our knowledge.

“While we’ve heard many ideas about how these issues could be fixed we need to be clear that there is no one solution that is going to reduce the risk of using these packages to zero.”


10 npm Security Best Practices

Concerned about npm vulnerabilities? It is important to take npm security into account for both frontend, and backend developers. Open source security auditing is a crucial part of shifting security to the left, and npm package security should be a top concern, as we see that even the official npm command line tool has been found to be vulnerable.

Click here to download the cheat-sheet as a PDF!

In this cheat sheet edition, we’re going to focus on npm security and productivity tips for both open source maintainers and developers.


Node.js Microservices Best Practices for Production

This is an attempt to enlist the most important practices to be followed while developing and deploying on Node.js. The author starts the article with a brief introduction of what the microservices pattern is and takes the conversation further from there on.

You’ll also learn about:

  • design patterns
  • cluster module
  • control flow
  • linting
  • logging
  • handling uncaught exeptions & unhandled rejections

& so on..


Fastify and Preact for Quick Web App Prototyping

In this article I will show my setup to build and share web apps prototypes using Fastify and Preact, two technologies that I love.


For vs forEach() vs for/in vs for/of in JavaScript

There’s numerous ways to loop over arrays and objects in JavaScript, and the tradeoffs are a common cause of confusion. Some style guides go so far as to ban certain looping constructs. In this article, Valeri Karpov describe the differences between iterating over an array with the 4 primary looping constructs:

  • for (let i = 0; i < arr.length; ++i)
  • arr.forEach((v, i) => { /* … */ })
  • for (let i in arr)
  • for (const v of arr)

Valeri provides an overview of the difference between these looping constructs using several different edge cases and also links to the relevant ESLint rules that you can use to enforce looping best practices in your projects.


Run your Node.js application on a headless Raspberry Pi

A headless install doesn’t require any kind of extra hardware (such as screens or keyboard), so everything that you need is the Raspberry Pi itself, a microSD (or SD, depending on your hardware) card and an internet connection (wired or wireless, again depending on your Raspberry).

Learn how to get a Node.js application running (daemonized) on a headless Raspberry Pi that deals with requests through an Nginx Reverse Proxy Server.


Build A Group-Chat App in 30 Lines Using Node.js

In this article, I am going to show to how to build your first simple group chat using Node.js and Socket.io module. Socket.io is a Node.js module that enables real-time, bidirectional and event-based communication. It works on every platform, browser or device, focusing equally on reliability and speed. Some Socket.io usage examples:

  • Real-time analytics
  • Binary streaming
  • Instant messaging and chat
  • Document collaboration (think about Google Docs)

Divide and conquer: Scale your Node.js App Using Distributed Queues

“In a previous article, I talked about how to run background tasks/jobs in Node.js (with the new worker_threads module in particular). But what happens if you are reaching the limits of the machine your Node.js instance is running in? Then you need to either move to a bigger machine (known as scaling vertically)or scale horizontally. Scaling vertically always has a limit, so at some point, you’ll need to scale horizontally.”


How to create a CHAT APP in VueJS & Node.js

In this tutorial, we create a CHAT APP in VueJS as the frontend & NodeJS as the backend. We use components and socket.io to create this web app.

The main language used in this video is JavaScript.


Originally published at community.risingstack.com on February 22, 2019.