Below you can find RisingStack's collection of the most important Node.js updates, tutorials & announcements from this week. Table of contents:
Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement (below).
Downloads are available for the following versions. Details of code changes can also be found on each release page.
- OpenSSL: Client DoS due to large DH parameter: This fixes a potential denial of service (DoS) attack against client connections by a malicious server.
- OpenSSL: ECDSA key extraction via local side-channel: Attackers with access to observe cache-timing may be able to extract DSA or ECDSA private keys by causing the victim to create several signatures and watching responses.
- Unintentional exposure of uninitialized memory: Node.js TSC member Nikita Skovoroda discovered an argument processing flaw that causes
Buffer.alloc()to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying
encodingcan be passed as a number, this is misinterpreted by
Buffer's internal "fill" method as the
startto a fill operation. This flaw may be abused where
Buffer.alloc()arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
- Out of bounds (OOB) write: Node.js TSC member Nikita Skovoroda discovered an OOB write in
Bufferthat can be used to write to memory outside of a
Buffer's memory space. This can corrupt unrelated
Bufferobjects or cause the Node.js process to crash.
Most of the time you can be well off running your app on your local machine and use containers only to sandbox your databases and messaging queues, but some bugs will show themselves only when the app itself is containerized as well. In these cases, it is very helpful to know how to attach a debugger to the service.
Buffers are Node.js' built-in type for storing arbitrary binary data. Because most Node.js developers don't use buffers much beyond occasionally reading data from a file, buffers are a common source of confusion. In this article,
I'll demonstrate how buffers work in Node.js, and describe a neat use case for buffers with MongoDB and Mongoose.
One of the most talked about combos as of late is Docker and Kubernetes. Docker and Kubernetes are a powerhouse that makes it infinitely easier to develop fast, immutable applications capable of running on multiple operating systems, without all the hassle of handling all the requirements of package management. Docker packages all of the requirements for any given operating system in your Docker container and, with a few Kubernetes commands, your application can be served to users, AND with immutable pods that can be killed and brought up at any time with a single Kubernetes command.
In this post, I’ll walk you through how I containerized an application with Docker and served it locally using Kubernetes and Minikube. In the end, you’ll walk away with enough knowledge to do the same and, hopefully, take it to the next level by launching your own app in the cloud with Kubernetes.
Ok, Node.js experts (and yes, I go back and forth between Node and Node.js, sue me), please do not get too angry here. I’m going to define Node in a way that made sense to me when I learned. There are better, deeper explanations, but I want to keep this simple.
Members of the Node.js Foundation Speakers Bureau are available to speak on behalf of the Node.js Foundation and Node.js at both public and private industry events.
For more Node.js content, follow us on Twitter @RisingStack.
In case you need guidance with Docker, Kubernetes, Microservices or Node.js, feel free to ping us at [email protected]!