A major npm registry vulnerability

#​414 — November 18, 2021

Read on the Web

Node Weekly

GitHub on npm Ecosystem Security (and a Major Bug They’ve Fixed) — GitHub became the custodians of the main npm registry in 2020 when it acquired npm Inc. and in this post they share details on how they’re improving its security. Rather worryingly, they recently identified two issues, one of which meant an attacker could publish new versions of any npm package without proper authorization(!) GitHub assures us, however, it has not been “exploited maliciously” during the timeframe for which they have telemetry (September 2020 onward).

Mike Hanley (GitHub)

Migrating from Puppeteer to PlaywrightPuppeteer is a popular Node library to remote control Chrome/Chromium browsers, whereas Playwright is a little broader and newer. This post digs through what you need to consider if you switch between the two.

Checkly

A Complete Intro to Building For Real-Time — Join Brian Holt for this detailed course on building apps that can push client messages up to the server and talk in real-time. You’ll learn long polling, how to open web sockets, SocketIO abstraction, HTTP/2 Push, retry strategies, and more.

Frontend Masters sponsor

Announcing TypeScript 4.5 — Just two weeks after the RC comes the final release. What’s new? The formerly promised ES module support for Node is now merely experimental and in nightly releases only, but you also get the Awaited type, faster load times via Node’s realpathSync.native, import assertion support, and support for the lib setting for node_modules so you can update your types on your own terms.

Daniel Rosenwasser (Microsoft)

‘I Will Pay You Cash to Delete Your npm Module’ — Firstly, it’s a (sort of) joke, but the founder of sourcehut brings up an interesting point. He’s alarmed by huge trees of dependencies and wants to see people thinking about it, even if no money is involved.

Drew DeVault

Bundle Scanner: Identify npm Libraries Used on a Web Page — Enter a URL and this tool will try and show you what npm packages were used in the page’s JavaScript even if they’re all bundled up. There’s an explanation of how it works. Or some example results for Kent C Dodd’s fancy new homepage.

Markus Englund

Electron 16.0.0 ReleasedElectron, the toolkit for building cross platform desktop apps with JavaScript, is now one of those projects with a fast, regular release cadence, so no huge changes here, but you get Chrome 96, Node 16.9.1 and V8 9.6 support, as well as the WebHID API.

OpenJS Foundation

How NodeSource Builds Better Security Monitoring and Alerts with InfluxDB

InfluxData sponsor

How to Create Memory and Type-Safe Node Modules with Rust — We’ve mentioned Neon a few times before. It provides a way to write code in Rust that you can call from Node, and this tutorial provides a quick intro.

Tharaka Romesh

Using Node.js to Create An HTTP Proxy for IPFS Content — IPFS has some admirable goals, but it’s inaccessible for many users. See how to use Node to create an HTTP proxy to access IPFS content.

Alex Merced

💻 Jobs

Backend Engineer (Remote, EU Timezones) — We’ve built a product thousands of people love (See Trustpilot if you don’t believe us). We need your help with Node & TypeScript.

Feather

Find Tech Jobs with Hired — Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It’s free for job-seekers.

Hired

🛠 Code & Tools

Clinic.js 10: A Node Performance Diagnosis Suite — A tool to diagnose issues in Node apps with probes that collect metrics to assess the app and create recommendations. v10 adds Node 16 support. GitHub repo.

nearform

htmlparser2 7.2.0: A Forgiving HTML and XML Parser — Consumes documents and calls callbacks, but it can generate a DOM as well. There’s a live demo here.

Felix Böhm

Nodekeeper: A Lightweight Alternative to Nodemon — Like nodemon it monitors your app for changes and automatically restarts things, as you might want in development. There’s also an article on how it works.

Pankaj Tanwar

Automate Domains, DNS, and SSL Certificates with This Special Offer 👀

DNSimple sponsor

Auto: Generate Releases Based on Semantic Version Labels on Pull Requests — A tool with the goal to make automated releases easy and without big changes to your workflow. GitHub repo.

Intuit

browser-or-node 2.0: Figure Out Where Your Code is Running — Provides a simple way to tell if your code is currently running in a browser, in Node, in a Web Worker, or in Deno.

Dinesh Pandiyan

Execa 6.0: A Better child_process — A way to run external processes from your Node app. Has a Promise-based interface, better support for Windows, allows up to a 100MB max buffer (vs the 200KB child_process uses). Now a pure ES module.

Sindre Sorhus

The Official MongoDB Node.js Driver v4.2.0 — See what’s new in the release notes.

MongoDB, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *