What hides in your node_modules?

#​428 — March 10, 2022

Read on the Web

Node Weekly

What’s Really Going On Inside Your

Folder? — A running joke is that

folders are so huge they’re heavier than black holes but when packages get taken over by nefarious groups, the contents of node_modules becomes somewhat less funny. This post looks into what malicious packages can do and the broad problem of supply chain attacks generally.

Feross Aboukhadijeh

Node v17.7.0 (Current) Released — Updates to nghttp2 and npm (8.5.2), some new options for

and

, and Ben Noordhuis (one of the most prolific Node contributors who stepped back as a core committer for reasons in 2013) is officially fully back as a Node.js collaborator (though he has continued to contribute code all along).

Stewart X Addison

Introducing the Elastic CI Stack for EC2 Mac — This new open source stack is created specifically for mobile teams, helping you migrate to AWS-managed servers for increased reliability, security, and speed. 📱

Buildkite sponsor

Socket: See Potential Security Issues for

Packages — An interesting new project that scans the code of each npm package in an attempt to characterize their behavior which is then reported on project specific pages, such as this one for lodash or this one for zx.

Socket

A Case Study on Moving from Next.js to Remix — Remix is the newest full stack Web framework on the block, and the first case studies are beginning to come in. In this case, the author covers the rewrite of his personal site (where this article is hosted).

Adam Collier

Making a Discord Playlist Bot with Serverless Cloud — Serverless Cloud is a serverless platform from Serverless Inc., the folks behind Serverless Framework. (Have we said ‘serverless’ enough yet?) This post ties together Node.js with some specific Serverless Cloud features to easily create a Discord chat bot that can add songs to a shared Spotify playlist.

Ben Miner

A Guide to Node Process Management with PM2 — PM2 is one of the longest standing Node utilities used for managing processes and is worth checking out if you have a Node process you need to stay up 24/7.

Ayooluwa Isaiah

Malicious Node.js Packages: Niche Configurations & Invisible Characters

Snyk sponsor

Diving into Node’s Streams — Streams provide a defined interface and abstraction over the idea of working with streaming data in Node – they seem to suffer from often being misunderstood, though, so tutorials always tend to be popular.

Juan José Arboleda

▶  USB Reverse Engineering and Writing Drivers — If you’ve got a hankering to do some hardware hackery with Node, you might enjoy this truly low level stream.

Low Level JavaScript

▶  Discussing Securing the Open Source Supply Chain with Feross Aboukhadijeh — Feross Aboukhadijeh is one of the minds behind Socket (featured above) and he joined the popular Changelog podcast to discuss the launch and why making the assumption that all your dependencies are malicious may be a necessary step to take.

The Changelog podcast

Deploying Your Node API to AWS Using Elastic Beanstalk

Vasil Kosturski

The Fetch API is Finally Coming to Node

Elijah Asaolu

PSD: A Zero-Dependency PSD (Photoshop) Parser for Browser and Node.js — Will parse info for each layer including text and also supports Photoshop’s .psb (big image) format. GitHub repo.

webtoon

Undici 4.15: The Fresh HTTP/1.1 Client for Node — Undici’s goal to be the best HTTP/1.1 client for Node takes another step forward.

Matteo Collina

Bree 8.0: A Versatile Job Scheduler for Node — Supports cron, dates, ms, later, and human-friendly for scheduling things.

Nick Baugh

Stream Video in Your Node App in Two API Calls

Mux sponsor

exiftool-vendored: Fast, Cross-Platform Node.js Access to ExifTool — Use this when you want to access embedded EXIF data within image files (particularly those taken with phones or DSLRs).

PhotoStructure

elasticsearch-js 8.1.0: Official Elasticsearch Client for Node — Elasticsearch is a great open source search database system for adding powerful search features to your apps. This update adds Elasticsearch 8.1 compatibility.

elastic

AVA 4.1: The Node.js Test Runner — A popular test runner known for its simplicity and speed.

AVA

fastify-websocket: Basic WebSocket Support for Fastify

Fastify

Dynamodump 2.0: A CLI Tool for Backing Up and Restoring Schema and Data from DynamoDB

Mikael Finstad

ssh2 v1.7: Pure JavaScript SSH2 Client and Server Modules for Node

Brian White