Security releases all round

#383 — April 8, 2021

Read on the Web

Node Weekly

April 2021 Security Releases Out Now — As mentioned last week, releases were on their way to fix a variety of high severity security issues and 15.14.0 (Latest), 14.16.1 (LTS), 12.22.1 (LTS) and 10.24.1 (LTS) are now here. More on the actual security issues below.

Security issues fixed in releases above:

• OpenSSL: CA certificate check bypass with X509_V_FLAG_X509_STRICT – this relates to security checks on certificates with more details here.

• OpenSSL: NULL pointer deref in

  1	signature_algorithms

  processing – a TLS server can be made to crash if sent a maliciously crafted renegotiation message.

• npm upgrade: Update y18n to fix Prototype-Pollution – Maliciously overwriting the prototypes of objects is called prototype pollution and this affects an issue with that in

  1

  y18n

  . Affects 14.x, 12.x, and 10.x only.

Get Visibility into Your Node Apps with End-To-End Traces — Datadog’s distributed tracing and APM generates flame graphs from real requests, enabling you to visualize app performance in real-time. Pivot seamlessly to related logs and metrics without switching tools for full context. Try Datadog APM free.

Datadog APM sponsor

NodeCSV 5.50: A Full Featured CSV Parser with a Simple API — Generation, parsing, transformation and serialization of CSV, and tested on large datasets too. The official homepage has a good example of using it.

Adaltas

Five Ways to Prevent Code Injection in JavaScript and Node — Some best practices for keeping your Node projects safe from code injection attacks.

Liran Tal

A Look at Class

Initializer Blocks in V8 9.1 — Sure, it looks a little Java-y, but this new syntax gives you a defined place to put code that runs just once for a defined class. Expect this in Chrome 91 (and therefore V8 9.1, we assume).

Shu-yu Guo

💻 Jobs

Find Software Engineering Jobs with Hired — Take 5 minutes to build your free profile & start getting interviews for your next job. Companies on Hired are actively hiring right now.

Hired

Node.js Developer at X-Team (Remote) — Join the most energizing community for developers and work on long-term projects for Riot Games, FOX, Sony, Coinbase, and more.

X-Team

📗 Tutorials and Stories

Sending Tuples from Node to Rust (and Back) — A developer needed to call a Rust API from Node and ran into some problems – here’s the story of how he solved them.

Nick Mosher

Using Top-Level

in Node Modules — From Node v14.8 onward, top-level

can be used in ES modules without needing to use the

flag.

Stefan Judis

Observability Won’t Replace Monitoring (Because It Shouldn’t)

Lightstep sponsor

Node Development with Docker and Docker Compose — Using Docker and Docker Compose to develop Nod projects can be a good option, especially if working in a team. This article provides a walk-through of a possible setup and some pros and cons of the approach.

Giuseppe Morelli

▶  Deploying Packages with GitHub Actions

Channel 9

Getting Started with Apache Kafka in Node.js

Valeri Karpov

active-win: Get Metadata About the Active Window — I haven’t thought of a good use for this yet but it’s interesting. Running it in the terminal, say, gives you the title, width, height, x and y of the window.

Sindre Sorhus

iohook: Global Keyboard and Mouse Listener — Similarly to the item above, this does what it says and with the sample code you can track the pointer and keyboard globally on your system.

wilix.team

[New] AI Security Scanning for WebStorm – Try the Free Security Plugin — Avoid the refactoring fire drill. Catch (and fix) security issues as you code. Try Snyk’s free WebStorm security plugin.

Snyk sponsor

StrongSoap 3.2: A SOAP Driver for Node — A complete rewrite of

and a heavier alternative to easy-soap-request which we covered in depth in issue 378.

StrongLoop

PM2 WebUI: An Open-Source Alternative to PM2 Plus — May be useful if you’re using the PM2 process manager.

Surya T

it-to-stream 1.0: Convert Streaming Iterables to Node Streams

Alan Shaw

Tail: A Zero Dependency Module for Tailing a File

Luca Grulla

p-queue: A Promise Queue with Concurrency Control — Useful for rate-limiting operations such as when interacting with third party APIs.

Sindre Sorhus

🕰 ICYMI (Some older stuff that’s worth checking out…)

• Zach Gollwitzer shared a free six-hour video course teaching you how to implement user authentication from scratch in Node and Express apps.
• Darko Milosevic shows us how to make your own online radio server using pure Node.
• Kelvin Omereshone demonstrates how to write automated tests on web APIs with Postman.
• Lighthouse Parade is a Node-based command line tool that crawls a domain and compiles a report with Lighthouse performance data for every page.
• Motionless is a static site generator for making sites using plain JavaScript and HTML with Node.