Below you can find RisingStack‘s collection of the most important Node.js news, projects, updates & security leaks from this week:
Scott Nonnenberg shared his 5 years of Node.js knowledge on topics, like Classes, NaN, Event Loop, Testing, Dependencies, and on failing to use New Relic to monitor Node.js apps.
After five years working with Node.js, I’ve learned a lot. I’ve already shared a few stories, but this time I wanted to focus on the ones I learned the hard way. Bugs, challenges, surprises, and the lessons you can apply to your own projects!
Node.js Streams come with a great power: You have an asynchronous way of dealing with input and output, and you can transform data in independent steps.
In this tutorial, I’ll walk you through the theory, and teach you how to use object stream transformables, just like Gulp does.
Over the last months, the Atom team has been working hard on improving one of the aspects of the editor our users care about the most: startup time.
We will first provide the reader with some background about why reducing startup time is a non-trivial task, then illustrate the optimizations we have shipped in Atom 1.17 (currently in beta) and, finally, describe what other improvements to expect in the future.
Today, we’re excited to announce that Trace, our Node.js monitoring & debugging tool is now free for open-source projects.
We know from experience that developing an open-source project is hard work, which requires a lot of knowledge and persistence. Trace will save a lot of time for those who use Node for their open-source projects.
As we’ve mentioned in the previous Node.js Weekly Update, V8 5.9 will be the first version with TurboFan + Ignition (TF+I) turned on by default.
As parts of the Node.js codebase have been tuned to CrankShaft, there will be a non trivial amount of churn to adapt to the new pipeline. This also creates a security risk as CrankShaft and FullCodeGen are no longer maintained by the V8 team or tested by the Chrome security team. If TF + I lands in Node.js 9.x backporting any changes to Node.js 8.x is going to prove extremely difficult and time consuming.
The Node.js Core Team decided that they should target 5.8 in 8.x release. The foundation will delay release with 3-4 weeks to allow forward compatible ABI to 6.0. Upgrade to TF+I as semver minor.
Code written with async functions benefits from superior readability, improved terseness and expressiveness, and unified error handling. No more nested callbacks, opaque Promise chains, and if (err) checks littering your code.
However, this pattern isn’t a panacea. It’s easy to do some things: iterate through single items, wait on a single result, run an array of promises in parallel. Other workflows require abstraction or state. I kept finding myself writing the same utility functions in each project: delays, throttled maps, skipping try/catch on optional operations, adapting to events or callbacks. Await, combined with these simple abstractions, yields readable yet powerful async workflows.
Node Summit 2017 will host the fifth annual NodeTalks. The conference will host leading technology and business experts from across the Node.js ecosystem who will present real-world case studies and talks that highlight the rapidly growing number of high profile companies and critical applications that rely on the Node.js ecosystem.
Security Vulnerabilities Discovered:
- ReDoS – decamelize package, versions >=1.1.0 <1.1.2
- ReDoS – useragent package, versions <2.1.12
- ReDoS – uri-js package, versions <3.0.0
- DoS – nes package, versions <6.4.1
- Insecure use of Tmp files – sync-exec package, ALL versions
- XSS – sanitize-html package, versions <1.2.3
- XSS – morris.js package, versions <=0.5.0
- Unsafe eval() – summit package, versions >=0.1.0
- Insecure Randomness – react-native-meteor-oauth package, ALL versions
Previously in the Node.js Weekly Update
In the previous Node.js Weekly Update we read interviews with Matt Loring & Mark Hinkle, read about tracking the growth of Open-Source & Mastering Node CLI..