Friday, 14 July, 2017 UTC


Below you can find RisingStack's collection of the most important Node.js updates, projects, tutorials & Node related conferences from this week:

Node v8.1.4 (Current) Released

Notable changes in the new release:
  • build:
    • Disable V8 snapshots - The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found.
  • deps:
    • CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. This patch checks that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record.

Security updates for all active release lines, July 2017

Updates are now available for all active Node.js release lines as well as the 7.x line. These include the fix for the high severity vulnerability identified in the initial announcement, one additional lower priority Node.js vulnerability in the 4.x release line, as well as some lower priority fixes for Node.js dependencies across the current release lines.
  • Node.js v8 (Current)
  • Node.js v7
  • Node.js v6 (LTS "Boron")
  • Node.js v4 (LTS "Argon")
Note: The 0.10.x and 0.12.x release lines are also vulnerable to the Constant Hashtable Seeds vulnerability. We recommend that users of these release lines upgrade to one of the supported LTS release lines.
For more info on these flaws, read the article.

Setting up 2FA for Node.js Applications

2FA relies on unique shared secrets we’ll give our users. Users can then take those shared secrets to generate time-based six-digit tokens on their phone or any other OTP device to log onto our site. This is more secure than plain password-based authentication: in addition to obtaining access to the user’s password, a malicious actor would also need the shared secret in order to compromise their account.
Let’s take a look at how we can quickly hash out a correct two-factor authentication (2FA) solution for our web applications. First off, let’s work out the required flow.

Introducing npx: an npm package runner

Those of you upgrading npm to its latest version, [email protected], might notice that it installs a new binary alongside the usual npm: npx.
npx is a tool intended to help round out the experience of using packages from the npm registry — the same way npm makes it super easy to install and manage dependencies hosted on the registry, npx makes it easy to use CLI tools and other executables hosted on the registry.

Microservices Distributed Tracing with Node.js and OpenTracing

Microservices is a powerful architecture pattern with many advantages, but it also brings new challenges regarding debugging - as it’s a distributed architecture that moves the complexity to the network.
Distributed tracing (and OpenTracing) provides a solution by giving enough visibility and information about cross-process communication.
This article explains the basics of distributed tracing as well as shows an open-source solution to debug Node.js based microservices applications.

How to inspect the memory usage of a process in Node.js

While everyone seems to agree about the fact that premature optimization could be detrimental, you must care about performances either way: in the most simplest case you may want to know how much memory a given Node.js process uses during its execution.
In this post we will see how to use a Node.js builtin method in order to gain knowledge about the memory usage of any given process.
What you will learn:
  • How to get information about the memory of a Node.js process
  • How Node.js organizes the memory

Keynotes for Node.js Interactive Focus on the Future of the Platform

The conference (October 4–6 - Vancouver, Canada) features keynotes, presentations and workshops that are aimed to help Node.js users better understand how to work with Node.js and JavaScript as well as best practices in contributing to the project.
Keynotes announced so far:
  • James Snell, Node.js Technical Steering Committee Director: During his keynote, James will provide a roadmap of what to expect in Node.js in the coming months.
  • Rachel White, Technologist, Artist, Pretend-Cyborg: Rachel will explore creativity with Node.js and provide a glimpse into the art pieces people are working on that are powered by Node.js, how they are using it and what services they are incorporating.
  • Mark Hinkle, Executive Director of the Node.js Foundation: During his keynote, Mark will review the progress and success of Node.js and what’s ahead for the Foundation and project.
  • Anna Henningsen, Node.js Core Technical Committee Member: Anna will cover one week in the life of the technical side of Node.js. Want to start contributing to the project? Come to this keynote.
  • Franziska (Franzi) Hinkelmann, Software Engineer at Google: Franzi will discuss her perspective on Chrome V8 in Node.js, and what the Chrome V8 team is doing to continue to support Node.js.

Online Training: Testing Node.js Applications

The "Testing Node.js Applications" course takes four weeks, with 2-hour webinars (3 in total) and a 1-on-1 session tailored for your special needs.
During these four weeks, you will learn how to unit test your application, write integration and end-to-end tests. The webinars will be recorded and distributed to the attendees.
Previously in the Node.js Weekly Update
In the previous Node.js Weekly Update we read about performance monitoring with Prometheus, Building a sentiment analysis bot with IBM Watson and Raspberry Pi & Trading Cryptocurrencies, Forex, Commodities Stocks and More Using Node.js.
We help you to stay up-to-date with Node.js on a daily basis too. Check out our Node.js news page and its Twitter feed!