Below you can find RisingStack's collection of the most important Node.js updates, tutorials & announcements from this week.
- compression / zlib:
- Added brotli support
- Added inspectOptions option
- Always accept private keys as public keys
- Upgrade npm to v6.5.0
- Use internalBinding('fs') internally instead of process.binding('fs')
- Support overriding http\s.globalAgent
- Inspect ArrayBuffers contents closely
- Expose workers by default and remove --experimental-worker flag
Since the release of Node.js v10.5.0 there’s a new worker_threads module available.
James Henry, who has long been the driving force behind TypeScript compatibility for ESLint, has started the typescript-eslint project as a centralized repository for all things related to TypeScript ESLint compatibility. This will be the new home of the TypeScript parser, eslint-plugin-typescript, and any other utilities that will make the TypeScript ESLint experience as seamless as possible.
What this means going forward?
- The ESLint team will no longer be maintaining
- The repository will be archived as of today
- There will be no further releases of
- Anyone using
HTTP client libraries are a dime a dozen in user-land, but you might need more from your client of choice.
There is a lot of power in using out of the box node core libraries. That isn’t to say that using open source libraries is the wrong choice, but that when building software we should be careful about the tradeoffs we’re making in the name of simplicity. Often, we do not need to make these tradeoffs at all and digging into the some of these libraries will reveal that.
As your project grows, working on a large or monolithic Node.js app gets slower:
- Working on part of the app means running the entire app.
- The require tree grows so large it can take several seconds to start the server.
- Restarting the server on every change impedes development.
- Middleware for projects like Next.js & Storybook are expensive to restart with each change.
- Tools like concurrently, nodemon, & piping still run the entire app.
- You shouldn't waste time in the terminal hitting Ctrl-C and restarting.
Heard all about these new fan-dangled GitHub Actions, and want to go out and build one? Well then let’s do it!
This post will serve as a guide to building a run-of-the-mill GitHub Action in Node.js.
Earlier this month, I published “Using worker_threads in Node.js”. Since that time, Node.js 11.7.0 shipped. With Node.js 11.7.0, you no longer need the
--experimental-workers flag to use the
worker_threads module. So it’s even easier to use
worker_threads than it was when I wrote that first article.
In an effort to better promote and increase engagement in the Node.js Security WG, the working group would like to share highlights more often, ideally each quarter, in the following areas:
Quarterly Agenda Topics:
- Security Bounty Program for Node.js Core and Ecosystem
- Machine Readable Format for Vulnerabilities
- Nodejs.org now has a SECURITY.TXT
Node.js Core Security News:
- The prior year ended with security updates for all maintained Node.js versions were released in November 2018.
- One of the important changes to the HTTP module in the recent Node.js 10.14.0 release was lowering the limit for the maximum HTTP header size across all release lines, including LTS, which turned out to be problematic for some users. A series of patch releases followed to allow the limit to be configurable at run-time.
- 2018 was also the year when someone used social engineering to gain control of a popular module distributed via npm and inject malicious code into it. One positive outcome of this is a heightened interest in how packages are maintained, and what the Node.js community can do to help.
Security Reports Spotlight:
- base64-url below 2.0 allocates uninitialized Buffers when number is passed in input (https://hackerone.com/reports/321692)
- Unrestricted file upload (RCE) in express-cart (https://hackerone.com/reports/343726)
- serve directory listing and file access even when they have been set to be ignored (https://hackerone.com/reports/330650)
- Command injection in pdf-image (https://hackerone.com/reports/340208)
- query-mysql SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database (https://hackerone.com/reports/311244)