The Node.js Update - #Week 5 - 1 February, 2019

Below you can find RisingStack's collection of the most important Node.js updates, tutorials & announcements from this week.

Node.js v11.9.0 (Current) Released

  • events:
    • For unhandled error events with an argument that is not an Error object, the resulting exeption will have more information about the argument.
  • child_process:
    • When the maxBuffer option is passed, stdout and stderr will be truncated rather than unavailable in case of an error.
  • policy:
    • Experimental support for module integrity checks through a manifest file is implemented now.
  • n-api:
    • The napi_threadsafe_function feature is now stable.
  • report:
    • An experimental diagnostic API for capturing process state is available as process.report and through command line flags.
  • tls:
    • tls.connect() takes a timeout option analogous to the net.connect() one.
  • worker:
    • process.umask() is available as a read-only function inside Worker threads now
    • An execArgv option that supports a subset of Node.js command line options is supported now.
  • deps:
    • OpenSSL has been updated to 1.1.1a, which is API/ABI compatible with the previous OpenSSL 1.1.0j. Note that while OpenSSL 1.1.1a supports TLS1.3, Node.js still does not.

How to setup your own PaaS with Dokku + Node + React + Mongodb + Nginx

Setup environment could be tedious, but Dokku just makes it tremendously easy. Even more, you can have your own CD setup under 5 mins with everything. Let’s see how we can get up and running for this app: A Node back-end with a create-react-app powered front end, and we will use MongoDB.

Stripe Payments Integration 101 for JavaScript Developers

In this article Rolan Szoke shows how you can create a simple webshop using Stripe Payments integration, React and Express. You'll get familiar with the Stripe Dashboard and basic Stripe features such as charges, customers, orders, coupons and so on. Also, you will learn about the usage of webhooks and restricted API keys.

Aladdin

If you read this article, you'll get familiar with Stripe integration in 15 minutes, so you can leapfrog the process of burying yourself in the official documentation ('cause we already did that for you!)

How to Create PDFs With Node.js and React

In this video you will learn how to generate dynamic PDFs using Node JS and React. PDFs are going to be generated from an HTML file.

Anything that you can write in HTML and CSS can be converted to a dynamic PDF.

Setting up a Full-Stack TypeScript Application: featuring Express and React

Many will tell you that Node.js is better suited for small projects and that static, compiled languages like Java/C# are better for large enterprise applications. This is where TypeScript comes in handy; it gives you the rapid development of a scripting language combined with the type safety of a static language.

nodejs-typescript-react

If you already know JavaScript, the learning curve for TypeScript is extremely small. TypeScript just requires a little extra setup at the beginning because it’s well… a superset and not technically a language.

29 Useful Open Source Libraries for Node.js

The world of custom software development constantly evolves with new trends, techniques, and languages. But, with Node.js, app development is significantly simplified.

nodejs-monster

In this article, Amman Mittal collated a list of the useful open source libraries that you can use in your upcoming Node.js project.

Object.assign vs Object Spread in Node.js

The Object Rest/Spread Proposal reached stage 4 in 2018, which means it will be included in a future iteration of the ECMAScript spec. It's also been included in Node.js LTS since Node.js 8, so you can safely start using it today.

$ node -v
v8.9.4
$ node
> const obj = { foo: 1, bar: 1 };
undefined
> ({ ...obj, baz: 1 });
{ foo: 1, bar: 1, baz: 1 }

The Object spread operator {...obj} is similar to Object.assign(), so which one should you use? Turns out the answer is a bit more nuanced than you might expect.

Enforcing Code Quality for Node.js

If you are going to be writing code and shipping it to production, it’s important that the code is high quality.

nodejs-code-coverage

In this article we will explore Linting, Formatting, Unit Testing and Code Coverage and enforce some quality standards.

/r/Node Discussion: Why do so many people use MongoDB with Node.js?

"From what I've read almost everyone seems to use mongodb with NodeJS. Why not MySQL or PostgreSQL ?"

How to speed up Node.js matrix computing with Math.js

This is part 1 of a series of articles on micro-benchmarks for matrix computations. This first article focuses on a math.js benchmark, and part 2 will discuss a TensorFlow benchmark. Make sure to subscribe if you don’t want to miss it!

nodejs-computation

In this article, you will learn how performing parallel computations can speed up the multiplication of two matrices.

Yarn's Future - v2 and beyond

When the Yarn project started back in 2016, our landscape was very different from what it is now. Package locking was far from being a first class citizen in the Javascript ecosystem, and the time needed to run an install was ... well, it was what it was. Yarn's release shook the status quo and started a movement that ended up being beneficial to everyone, other package managers included. Now is the time to assess where we are, reinforce our strengths and patch our weaknesses.

This thread aims to expose our roadmap for the next major Yarn release, and let you know about significant changes that we plan to make regarding Yarn's design. The codename for these changes is Berry - that's how we'll refer to it during the next few months.

Continuous Security at npm

Security is something you have to continually train for—a constant cycle of risk discovery, prioritization, and skill-building to close the gap to get results. Continuous security is all about becoming more efficient at this entire lifecycle and reducing the time to risk discovery and the overall cost of mitigation.

Severe Security Vulnerability in Bower’s Zip Archive Extraction

Earlier this month it was found that Bower, a popular web package manager, is vulnerable to archive extractions and currently, we can associate two security incidents with it, for which follow-up releases to address them are available:

  • Arbitrary file writes with potential remote command execution, which was fixed in Bower 1.8.6, resulted from the Zip Slip vulnerabilities found in the decompress-zip dependency, an open source dependency used by Bower.
  • Arbitrary file writes caused by .tar.gz archive symbolic link (symlink) vulnerabilities that are exploited because of how Bower extracts such archives, was fixed in Bower 1.8.8.