Below you can find RisingStack's collection of the most important Node.js news, projects, updates & security leaks from this week:
In his presentation, Danny Grander walked us through hacking a vulnerable Node.js application, as well as looking in-depth into three different vulnerabilities in popular npm packages.
It is a good learning opportunity to see a real-world software, written by experienced developers that had security issues that later got fixed, and hopefully we can learn something from that.
Glimpse is an experimental npm package that gives you in-depth insights about the client and server sides of your Node.js apps.
More efficient debugging means faster development. Best of all, it’s free.
Post-mortem diagnostics & debugging comes into the picture when you want to figure out what went wrong with your Node.js application in production
We will take a look at
node-report, a core project which aims to help you to do post-mortem diagnostics & debugging.
Docker is an amazing tool for developers. It allows us to build and replicate images on any host, removing the inconsistencies of dev environments and reducing onboarding timelines considerably.
To provide an example of how you might move to containerized development, I built a simple todo API using NodeJS, Express, and PostgreSQL using Docker Compose for development, testing, and eventually in my CI/CD pipeline.
Node Core Changes:
util.promisify is in the Node Core, we don't have to use the
es6-promisify module anymore.
AsyncWrap is two things. One is a class abstraction that provides an internal mechanism for handling asynchronous tasks, such as calling a callback.
The other part is an API for setting up hooks and allows one to get structural tracing information about the life of handle objects. In the context of tracing the latter is usually what is meant.
Vulnerable npm Packages Discovered:
- Regular Expression Denial of Service (ReDoS) - uikit package, versions <2.26.4 >=2.0.0
- Information Disclosure - nforce package, versions <0.6.1
- Cross-Site Request Forgery (CSRF) - eslint_d package, versions <4.0.1 >=4.0.0 || <3.1.2
- Directory Traversal - actionhero package, versions <4.0.0 >=1.0.2
- Cross-site Scripting (XSS) - actionhero package, versions <15.1.2 >=13.0.0
- Cross-site Scripting (XSS) - riot package, versions <0.9.6
- Cross-site Scripting (XSS) - rendr package, versions <1.1.4 >=0.4.0
- Cross-site Scripting (XSS) - rendr package, versions <0.5.0-rc1
- Cross-site Scripting (XSS) - ql.io-engine package, versions <0.4.2
- Cross-site Scripting (XSS) - polyfill-service package, versions <3.1.2
- Cross-site Scripting (XSS) - mediaelement package, versions <3.1.2 >=3.0.0
- Cross-site Scripting (XSS) - mediaelement package, versions <2.21.0 >=2.17.0
- Cross-site Scripting (XSS) - fullpage.js package, versions <2.7.6
- Cross-site Scripting (XSS) - favico.js package, versions <0.3.10
- Cross-site Scripting (XSS) - datatables package, versions <1.10.10 >=1.10.1
- Information Exposure - brunch package, versions <1.7.7 >=1.7.0
Previously in the Node.js Weekly
In the previous Node.js Weekly Update we read about why Node 8 got delayed, how to use the
fs module effectively, how to make Electron apps with 99.9% weight loss & 3 recent Node.js releases: v6.10.3 (LTS); v7.10.0 (Current) & v4.8.3 (Maintenance).