Testing, Performance Benchmarks and Security Compliance in Node.js
The Nine Node Pillars - Platformatic’s long-time and high tier Node.js collaborators and developers put together a 9 Principles for Doing Node.js Right in Enterprise Environments.
Headlines
Fuzz-driven testing for slow path detection — Nicolas, the maintainer of fast-check
, shows how fuzz testing, a widely-used technique in Linux kernel development and other domains, helps uncover performance issues.
Proposal for The OpenJS Foundation Security Compliance Guide v1.0 — Ulises Gascon is putting together an document for the Security Program Standards and seeks feedback on source code and examples.
See below a screenshot of one of the vulnerable packages I am writing about in the Node.js Code Injection book, and it shows how older major versions are more prominent than new major releases. The CSM and EJS struggle is real, and this also extends to gaps in security fixes too:
How to use npm audit - If you’re totally new to security vulnerability findings from npm, this is a practical guide on how to use npm audit
and learn about its downsides and recommended alternative.
Performance-optimized Node.js Microservices? — In this article, seasoned JavaScript conference speaker, Tamar Twena-Stern, reviews and shares benchmark of different libraries, namely Fastify and Pino of some popular names featured.
📦 On npm
- fast-check - Property-based testing for JavaScript and TypeScript by Nicolas Dubien.
- eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but could end up finding a lot of false positives which need triage by a human.
❗ New Security Vulnerabilities
- jquery-ui found vulnerable to Cross-site Scripting, 18 Oct 2024
- http-proxy-middleware found vulnerable to Denial of Service, 18 Oct 2024
- hono found vulnerable to Cross-site Request Forgery, 15 Oct 2024
- astro found vulnerable to Cross-site Scripting, 14 Oct 2024
- markdown-to-jsx found vulnerable to Cross-site Scripting, 14 Oct 2024
- jungle-db was a malicious package published on npm, I hope you didn’t install it 😅
🔮 Node.js Tip of the Week
🔮 Ditch minimatch
and other file globbing dependencies.
Node.js LTS (20.17.0) added experimental support for matching a path to a glob using matchesGlob
method in the path
module:
Screenshot courtesy of @styfle, thanks!
💼 Hiring
- Bun hiring for Developer Experience Engineer in San Francisco, United States 🇺🇸
- Vercel hiring for Developer Experience Engineer in Remote, United States 🇺🇸
- NearForm hiring for Senior Developer in Remote, Italy 🇮🇹
- Contentful hiring for Senior Software Engineer - TypeScript and Node.js in Denver, United States 🇺🇸
- Webflow hiring for Senior Software Engineer in Remote, United States 🇺🇸
- Fireflies.ai hiring for Full stack Engineer in India 🇮🇳, Turkey 🇹🇷, Singapore 🇸🇬
- Calendly hiring for Staff Full stack Engineer in Remote, United States 🇺🇸