Node.js Weekly Update - 3 March, 2017

Read the most important Node.js weekly news & updates:

1. Digital Transformation with the Node.js Stack

Let's explore the 9 main areas of digital transformation and see what are the benefits of implementing Node.js. Digital Transformation Roadmap inside!

One of the available technologies that enable companies to go through a major performance shift is Node.js and its ecosystem. It is a tool that grants improvement opportunities that organizations should take advantage of:

  • Increased developer productivity,
  • DevOps or NoOps practices,
  • and shipping software to production in brief time using the proxy approach,

just to mention a few.

2. NPM or Yarn? Node.js devs pick their package manager

Facebook's open source JavaScript package manager is gathering steam, but don't count out NPM

Mere months since it was open-sourced by Facebook, Yarn has NPM on the run. The upstart JavaScript package manager has gained a quick foothold in the Node.js community, particularly among users of the React JavaScript UI library.

3. V8: Behind the Scenes (February Edition feat. A tale of TurboFan)

February has been an exciting and very, very busy month for me. As you have probably heard, we’ve finally announced that we will launch the Ignition+TurboFan pipeline in Chrome 59. So despite running late, and not making it for February actually, I’d like to take the time to reflect on the TurboFan tale a bit, and tell my story here. Remember, that everything you read here is my very personal opinion and doesn’t reflect the opinion of V8, Chrome or Google.

4. Getting Started With WebAssembly in Node.js

WebAssembly is an exciting new language that many JavaScript engines have added support for. WebAssembly promises to make it much easier to compile languages like C and C++ to something that runs in the browser.

In this article, I'll show you how to get a couple rudimentary WebAssembly examples running in Node.js, and run a couple trivial benchmarks to show the performance impact.

5. Prototype Override Protection Bypass in the qs module

By default qs protects against attacks that attempt to overwrite an object's existing prototype properties, such as toString(), hasOwnProperty(), etc. Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more.

In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with [ or ]. e.g. qs.parse("]=toString") will return {toString = true}, as a result, calling toString() on the object will throw an exception.

Example:

qs.parse('toString=foo', { allowPrototypes: false })  
// {}

qs.parse("]=toString", { allowPrototypes: false })  
// {toString = true} <== prototype overwritten

6. Programmers are Confessing their Coding sins to protest a Broken Job Interview Process

David Heinemeier Hansson, a well-known programmer and the creator of the popular Ruby on Rails coding framework was the one who started it:

DHH whiteboard confession

Immediately, other techies picked up the meme. “Hello my name is Sadiksha, I am working on rails since 2011. I don’t know migrations syntax to add/remove column, I google it everytime,” one coder said. “Hello, my name is Tim. I’m a lead at Google with over 30 years coding experience and I need to look up how to get length of a python string,” tweeted another.

Latest Node.js Releases

○ Node v7.7.0 (Current)

This release contains a bug that will prevent all native modules from loading. Update to 7.7.1!

  • child_process: spawnSync() exit code now is null when the child is killed via signal
  • http: new functions to access the headers for an outgoing HTTP message
  • lib: deprecate node --debug at runtime
  • tls: new tls.TLSSocket() supports sec ctx options
  • url: adding URL.prototype.toJSON support
  • doc: items in the API documentation may now have changelogs
  • crypto: adding support for OPENSSL_CONF again
  • src: adding support for trace-event tracing

○ Node v7.7.1 (Current)

Node.js 7.7.0 contains a bug that will prevent all native modules from building, this patch should fix the issue.


Previously in the Node.js Weekly Update

In the previous Node.js Weekly Update we read fantastic articles about Writing REST APIs, Quality with Speed, Node 6 at Wikimedia, Node in China, Async/Await released and more..

We help you to stay up-to-date with Node.js on a daily basis too. Check out our Node.js news page and its Twitter feed!