The Node.js Update - #Week 33 - 17 August, 2018

Below you can find RisingStack's collection of the most important Node.js updates, tutorials & announcements from this week. Table of contents:

August 2018 Node.js Security Releases

Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement (below).

Downloads are available for the following versions. Details of code changes can also be found on each release page.

Vulnerabilities fixed:

  • OpenSSL: Client DoS due to large DH parameter: This fixes a potential denial of service (DoS) attack against client connections by a malicious server.
  • OpenSSL: ECDSA key extraction via local side-channel: Attackers with access to observe cache-timing may be able to extract DSA or ECDSA private keys by causing the victim to create several signatures and watching responses.
  • Unintentional exposure of uninitialized memory: Node.js TSC member Nikita Skovoroda discovered an argument processing flaw that causes Buffer.alloc() to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is misinterpreted by Buffer's internal "fill" method as the start to a fill operation. This flaw may be abused where Buffer.alloc() arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
  • Out of bounds (OOB) write: Node.js TSC member Nikita Skovoroda discovered an OOB write in Buffer that can be used to write to memory outside of a Buffer's memory space. This can corrupt unrelated Buffer objects or cause the Node.js process to crash.

How to Debug a Node.js app in a Docker Container

Most of the time you can be well off running your app on your local machine and use containers only to sandbox your databases and messaging queues, but some bugs will show themselves only when the app itself is containerized as well. In these cases, it is very helpful to know how to attach a debugger to the service.

Node.js Docker Debugger

An Overview of Buffers in Node.js

Buffers are Node.js' built-in type for storing arbitrary binary data. Because most Node.js developers don't use buffers much beyond occasionally reading data from a file, buffers are a common source of confusion. In this article,

I'll demonstrate how buffers work in Node.js, and describe a neat use case for buffers with MongoDB and Mongoose.

Containerizing a Node.js API & Using Docker with Kubernetes and Minikube

One of the most talked about combos as of late is Docker and Kubernetes. Docker and Kubernetes are a powerhouse that makes it infinitely easier to develop fast, immutable applications capable of running on multiple operating systems, without all the hassle of handling all the requirements of package management. Docker packages all of the requirements for any given operating system in your Docker container and, with a few Kubernetes commands, your application can be served to users, AND with immutable pods that can be killed and brought up at any time with a single Kubernetes command.

docker-kubernetes-nodejs

In this post, I’ll walk you through how I containerized an application with Docker and served it locally using Kubernetes and Minikube. In the end, you’ll walk away with enough knowledge to do the same and, hopefully, take it to the next level by launching your own app in the cloud with Kubernetes.

Node.js for the Non-Node.js Developer

Ok, Node.js experts (and yes, I go back and forth between Node and Node.js, sue me), please do not get too angry here. I’m going to define Node in a way that made sense to me when I learned. There are better, deeper explanations, but I want to keep this simple.

Node is - for all intents and purposes - using JavaScript on the server. It was created in 2009 (although Netscape had an earlier version no one seems to remember) and is powered by V8. Not the drink (although that would be awesome), but Chrome’s JavaScript engine. It is open source (ahem, Adobe) and supported by a lot of large companies. Basically you don’t have to worry about it going away or having a huge price jump.

Node.js Foundation Announces Speakers Bureau

The Node.js Foundation Speakers Bureau is made up of Node.js and open source thought leaders and technical experts from around the world. They can speak on multiple topics from best practices in building open source community consensus, JavaScript’s role in IoT to scaling JavaScript in the enterprise.

Node-Foundation-Speakers-Bureau

Members of the Node.js Foundation Speakers Bureau are available to speak on behalf of the Node.js Foundation and Node.js at both public and private industry events.

--

For more Node.js content, follow us on Twitter @RisingStack.

In case you need guidance with Docker, Kubernetes, Microservices or Node.js, feel free to ping us at [email protected]!