The Node.js Update #Week 33 of 2019. 16 August

Below you can find a collection of the most important Node.js updates, tutorials & announcements from this week - curated by RisingStack's Node.js Developers.

8.x and 10.x Node.js Security Releases:

Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See for more information.

Updates are now available for all active Node.js release lines, except Linux ARMv6 builds for Node.js 8.x which are still building.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

Vulnerabilities fixed:

  • CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
  • CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
  • CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Promises API in Node.js core: where we are and where we’ll get to by Joe Sepi | JSConf EU 2019

Currently only fs and dns have an experimental promise api in Node core. People LOL at Node.js core modules for still using the callback pattern. I could launch into a bunch of puns here but instead I’ll just say the current status is sad but fixable.

nodejs-promises-api

Where are we? What do we need to do? How can you help?

Build a Chatbot from Scratch - Dialogflow on Node.js

Build a fullstack chatbot that can intelligently interact with your users, featuring Dialogflow, Cloud Functions, and Angular.

chatbot-with-nodejs--1-

Comprehensive and exhaustive JavaScript & Node.js testing best practices (August 2019)

? 45+ best practices: Super-comprehensive and exhaustive
This is a guide for JavaScript & Node.js reliability from A-Z. It summarizes and curates for you dozens of the best blog posts, books and tools the market has to offer

? Advanced: Goes 10,000 miles beyond the basics
Hop into a journey that travells way beyond the basics into advanced topics like testing in production, mutation testing, property-based testing and many other strategic & professional tools. Should you read every word in this guide your testing skills are likely to go way above the average

? Full-stack: front, backend, CI, anything
Start by understanding the ubiquitous testing practices that are the foundation for any application tier. Then, delve into your area of choice: frontend/UI, backend, CI or maybe all of them?

Go Goroutines vs Node Cluster & Worker Threads

I read many articles on Go, as well as Go vs X language. A common theme I noticed is people either bashing Node.js, (Node) with little understanding of what they are talking about, or showcasing Go as being far more performant than Node.js. In the cases where Go was far more performant, Node was mostly being run at a massive handicap and for me making an informed business decision, I want to know how the two actually perform against each other.

In this article Node.js is compared to Go, in a scenario where Go is setup (by default) to use every available CPU thread, meanwhile Node is running in a single threaded, single process.

Although Go outperformed Node in every test, with Node cluster, I feel Node was certainly able to hold it’s own and there wasn’t a drastic difference between the two (10% when it came to r/s).

How to Build a Command Line (CLI) Tool in Node.js

This article demonstrates how you can create a command-line tool in JS using Node,js.

Jordan promises – async/await vs .then

As I’ve stated in a lot of other posts, I’m a big fan of async/await. I think it’s a pretty clean way to manage code your synchronous and asynchronous code. I want to compare some of the bad that can be avoided with async/await.

Build a Slack App to Create and Apply Stripe Coupons in 4 Steps with Standard Library and Node.js

In this article, we’ll walk through how to create your own Slack-based Stripe coupon management app using Build on Standard Library. Your app will be able to:

  • Create coupon codes for all occasions (new subscribers, promos, etc.)
  • Apply coupons to existing subscribers
  • Solve world hunger and the energy crisis (just kidding)