Node.js Weekly Update - 21 April, 2017

Below you can find RisingStack's collection of the most important Node.js news, projects, updates & security leaks from this week:

1. Hard-won lessons: Five years with Node.js

Scott Nonnenberg shared his 5 years of Node.js knowledge on topics, like Classes, NaN, Event Loop, Testing, Dependencies, and on failing to use New Relic to monitor Node.js apps.

After five years working with Node.js, I’ve learned a lot. I’ve already shared a few stories, but this time I wanted to focus on the ones I learned the hard way. Bugs, challenges, surprises, and the lessons you can apply to your own projects!

2. The Definitive Guide to Object Streams in Node.js

Node.js Streams come with a great power: You have an asynchronous way of dealing with input and output, and you can transform data in independent steps.

In this tutorial, I'll walk you through the theory, and teach you how to use object stream transformables, just like Gulp does.

3. Improving Startup Time at Atom

Over the last months, the Atom team has been working hard on improving one of the aspects of the editor our users care about the most: startup time.

We will first provide the reader with some background about why reducing startup time is a non-trivial task, then illustrate the optimizations we have shipped in Atom 1.17 (currently in beta) and, finally, describe what other improvements to expect in the future.

4. Announcing Free Node.js Monitoring & Debugging with Trace

Today, we’re excited to announce that Trace, our Node.js monitoring & debugging tool is now free for open-source projects.

Trace - a Node.js Monitoring & Debugging Tool

We know from experience that developing an open-source project is hard work, which requires a lot of knowledge and persistence. Trace will save a lot of time for those who use Node for their open-source projects.

5. PSA: Node.js 8 will be delayed until May.

As we've mentioned in the previous Node.js Weekly Update, V8 5.9 will be the first version with TurboFan + Ignition (TF+I) turned on by default.

As parts of the Node.js codebase have been tuned to CrankShaft, there will be a non trivial amount of churn to adapt to the new pipeline. This also creates a security risk as CrankShaft and FullCodeGen are no longer maintained by the V8 team or tested by the Chrome security team. If TF + I lands in Node.js 9.x backporting any changes to Node.js 8.x is going to prove extremely difficult and time consuming.

The Node.js Core Team decided that they should target 5.8 in 8.x release. The foundation will delay release with 3-4 weeks to allow forward compatible ABI to 6.0. Upgrade to TF+I as semver minor.

6. Meet Awaiting - the async/await utility for browsers and Node.js

Code written with async functions benefits from superior readability, improved terseness and expressiveness, and unified error handling. No more nested callbacks, opaque Promise chains, and if (err) checks littering your code.

However, this pattern isn't a panacea. It's easy to do some things: iterate through single items, wait on a single result, run an array of promises in parallel. Other workflows require abstraction or state. I kept finding myself writing the same utility functions in each project: delays, throttled maps, skipping try/catch on optional operations, adapting to events or callbacks. Await, combined with these simple abstractions, yields readable yet powerful async workflows.

7. Call for Papers (NodeTalk Proposals)

Node Summit 2017 will host the fifth annual NodeTalks. The conference will host leading technology and business experts from across the Node.js ecosystem who will present real-world case studies and talks that highlight the rapidly growing number of high profile companies and critical applications that rely on the Node.js ecosystem.

Submit your talk here!

Security Vulnerabilities Discovered:

High severity

  • ReDoS - decamelize package, versions >=1.1.0 <1.1.2
  • ReDoS - useragent package, versions <2.1.12
  • ReDoS - uri-js package, versions <3.0.0
  • DoS - nes package, versions <6.4.1

Medium severity

Low severity

Previously in the Node.js Weekly Update

In the previous Node.js Weekly Update we read interviews with Matt Loring & Mark Hinkle, read about tracking the growth of Open-Source & Mastering Node CLI..

We help you to stay up-to-date with Node.js on a daily basis too. Check out our Node.js news page and its Twitter feed!