What hides in your node_modules?

Published by on

#​428 — March 10, 2022

Read on the Web

Node Weekly

What’s Really Going On Inside Your

1
node_modules

Folder? — A running joke is that

1
node_modules

folders are so huge they’re heavier than black holes but when packages get taken over by nefarious groups, the contents of node_modules becomes somewhat less funny. This post looks into what malicious packages can do and the broad problem of supply chain attacks generally.

Feross Aboukhadijeh

Node v17.7.0 (Current) Released — Updates to nghttp2 and npm (8.5.2), some new options for

1
net.Socket

and

1
net.Server

, and Ben Noordhuis (one of the most prolific Node contributors who stepped back as a core committer for reasons in 2013) is officially fully back as a Node.js collaborator (though he has continued to contribute code all along).

Stewart X Addison

Introducing the Elastic CI Stack for EC2 Mac — This new open source stack is created specifically for mobile teams, helping you migrate to AWS-managed servers for increased reliability, security, and speed. 📱

Buildkite sponsor

Socket: See Potential Security Issues for

1
npm

Packages — An interesting new project that scans the code of each npm package in an attempt to characterize their behavior which is then reported on project specific pages, such as this one for lodash or this one for zx.

Socket

A Case Study on Moving from Next.js to RemixRemix is the newest full stack Web framework on the block, and the first case studies are beginning to come in. In this case, the author covers the rewrite of his personal site (where this article is hosted).

Adam Collier

Making a Discord Playlist Bot with Serverless CloudServerless Cloud is a serverless platform from Serverless Inc., the folks behind Serverless Framework. (Have we said ‘serverless’ enough yet?) This post ties together Node.js with some specific Serverless Cloud features to easily create a Discord chat bot that can add songs to a shared Spotify playlist.

Ben Miner

💻 Jobs

Senior Backend Developer — Are you looking to level up your skills and work on a wide variety of applications and technologies? Look no further.

Bitovi

Fullstack Developer — Konrad is hiring Fullstack developers to join our team in building products for the world’s most exciting companies.

Konrad Group

Find Tech Jobs with Hired — Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It’s free for job-seekers.

Hired

A Guide to Node Process Management with PM2PM2 is one of the longest standing Node utilities used for managing processes and is worth checking out if you have a Node process you need to stay up 24/7.

Ayooluwa Isaiah

Malicious Node.js Packages: Niche Configurations & Invisible Characters

Snyk sponsor

Diving into Node’s Streams — Streams provide a defined interface and abstraction over the idea of working with streaming data in Node – they seem to suffer from often being misunderstood, though, so tutorials always tend to be popular.

Juan José Arboleda

▶  USB Reverse Engineering and Writing Drivers — If you’ve got a hankering to do some hardware hackery with Node, you might enjoy this truly low level stream.

Low Level JavaScript

▶  Discussing Securing the Open Source Supply Chain with Feross Aboukhadijeh — Feross Aboukhadijeh is one of the minds behind Socket (featured above) and he joined the popular Changelog podcast to discuss the launch and why making the assumption that all your dependencies are malicious may be a necessary step to take.

The Changelog podcast

Deploying Your Node API to AWS Using Elastic Beanstalk

Vasil Kosturski

The Fetch API is Finally Coming to Node

Elijah Asaolu

🛠 Code & Tools

PSD: A Zero-Dependency PSD (Photoshop) Parser for Browser and Node.js — Will parse info for each layer including text and also supports Photoshop’s .psb (big image) format. GitHub repo.

webtoon

Undici 4.15: The Fresh HTTP/1.1 Client for Node — Undici’s goal to be the best HTTP/1.1 client for Node takes another step forward.

Matteo Collina

Bree 8.0: A Versatile Job Scheduler for Node — Supports cron, dates, ms, later, and human-friendly for scheduling things.

Nick Baugh

Stream Video in Your Node App in Two API Calls

Mux sponsor

exiftool-vendored: Fast, Cross-Platform Node.js Access to ExifTool — Use this when you want to access embedded EXIF data within image files (particularly those taken with phones or DSLRs).

PhotoStructure

elasticsearch-js 8.1.0: Official Elasticsearch Client for NodeElasticsearch is a great open source search database system for adding powerful search features to your apps. This update adds Elasticsearch 8.1 compatibility.

elastic

AVA 4.1: The Node.js Test Runner — A popular test runner known for its simplicity and speed.

AVA

fastify-websocket: Basic WebSocket Support for Fastify

Fastify

Dynamodump 2.0: A CLI Tool for Backing Up and Restoring Schema and Data from DynamoDB

Mikael Finstad

ssh2 v1.7: Pure JavaScript SSH2 Client and Server Modules for Node

Brian White

Categories: NodeJS Official

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

NodeJS Official

Unflagged TypeScript support is just around the corner

#​561 — January 7, 2025 Read on the Web Happy New Year! We’re now back every week all the way till mid February, so if you’ve got anything you want to submit for inclusion in Read more…

NodeJS Official

A look back at Node’s 2024

#​560 — December 17, 2024 Read on the Web 🎄 This week we cover a few news items but quickly get into a 2024 roundup of Node news and the most clicked items of the Read more…

NodeJS Official

require(esm) makes it to LTS

#​559 — December 10, 2024 Read on the Web 🎄 The Node world is experiencing a post-Thanksgiving interfestal lull, so this issue includes a few items we overlooked earlier this year. Next week brings our Read more…