The Node.js Update #Week 23 of 2019. 7 June

Below you can find a collection of the most important Node.js updates, tutorials & announcements from this week - curated by RisingStack's Node.js Developers.

Node.js v12.4.0 Released


  • doc: The JSON variant of the API documentation is no longer experimental
  • esm: JSON module support is always enabled under --experimental-modules. The --experimental-json-modules flag has been removed.
  • http,http2: A new flag has been added for overriding the default HTTP server socket timeout (which is two minutes). Pass --http-server-default-timeout=milliseconds or --http-server-default-timeout=0 to respectively change or disable the timeout. Starting with Node.js 13.0.0, the timeout will be disabled by default
  • inspector: Added an experimental --heap-prof flag to start the V8 heap profiler on startup and write the heap profile to disk before exit
  • stream: The readable.unshift() method now correctly converts strings to buffers. Additionally, a new optional argument is accepted to specify the string's encoding, such as 'utf8' or 'ascii'
  • v8: The object returned by v8.getHeapStatistics() has two new properties: number_of_native_contexts and number_of_detached_contexts

History of Node.js on a Timeline

We’ve been publishing articles on Node.js for over 5 years now, so we thought it’d be interesting to look back at what exactly happened to Node.js so far, from the point where it was born until Today.


The economics of open source by C J Silverio (ex-CEO of NPM)

The JS package commons is in the hands of a for-profit entity. We trust npm with our shared code, but we have no way to hold npm accountable for its behavior.


A trust-based system cannot function without accountability, but somebody still has to pay for the servers. How did we get here, and what should JavaScript do now?

You don't need passport.js - Guide to node.js authentication

This series of articles about node.js authentication, are aimed to demystify concepts such as JSON Web Token (JWT), social login (OAuth2), user impersonation (an admin can log in as a specific user without password), common security pitfalls and attack vectors.

Table of contents:

  • How to make the Sign-Up ?
  • How to make the Sign-In ?
  • JWT explained ?‍?
  • Generating JWTs ?
  • Secured endpoints ⚔️
  • User impersonation ?️

How To Mock Services Using Mountebank and Node.js

A service mock is code that simulates the service that you would use in the final product, but is lighter weight, less complex, and easier to control than the actual service you would use in production. You can set a mock service to return a default response or specific test data, then run the software you're interested in testing as if the dependent service were really there. Because of this, having a flexible way to mock services can make your workflow faster and more efficient.

Node.js Mentorship Application Closing Soon!

The goal of the mentorship program is to bring more contributors to Node.js projects by mentoring people about the Node.js ecosystem, helping them contribute to Node.js, championing their PRs through code reviews, and providing guidance.

Node.js Mentorship Round

This round we have 10 brilliant mentors for a mentoring duration of 10 weeks. Mentoring topics are very diverse so make sure you pick your top 3 choices carefully.

You can read more about the mentorship program here:

Call for Proposals (CFP) for Node+JS Interactive Close Soon!

Dates to Remember:

  • CFP Opens: Tuesday, May 7
  • CFP Closes: Friday, June 14 at 11:59pm PST
  • CFP Notifications: Wednesday, July 31
  • Schedule Announcement: Week of August 5
  • Slide Due Date: Monday, December 2
  • Event Dates: Wednesday, December 11 – Thursday, December 12

Plot to steal cryptocurrency foiled by the npm security team

The npm security team, in collaboration with Komodo, helped protect over $13 million USD in cryptocurrency assets as they found and responded to a malware threat targeting the users of a cryptocurrency wallet called Agama.

electron native notify publication timeline
  "1.0.0": "2019-03-06T23:54:33.625Z"
  "1.0.1": "2019-03-07T03:07:45.585Z"
  "1.0.2": "2019-03-07T03:10:00.491Z"
  "1.0.3": "2019-03-08T03:46:17.223Z"
  "1.1.0": "2019-03-08T04:04:55.489Z"
  "1.1.1": "2019-03-08T04:18:13.915Z"
  "1.1.2": "2019-03-08T04:29:26.857Z"
  "1.1.3": "2019-03-08T04:44:44.991Z"
  "1.1.4": "2019-03-08T04:47:23.483Z"
  "1.1.5": "2019-03-08T09:58:07.558Z" <- KomodoPlatform/EasyDEX-GUI installs package
  "1.1.6": "2019-03-23T09:28:57.679Z" <- Malicious payload introduced here
  "1.1.7": "2019-03-23T10:45:36.035Z"
  "1.2.0": "2019-04-16T02:09:56.904Z" <- Agama updated by sawlysawly to this version
  "1.2.1": "2019-05-11T11:44:21.933Z"
  "1.2.2": "2019-06-03T15:26:40.054Z"

This attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application.