Express 5 released after 10 years with significant Security fixes - The release includes security fixes for Express and its related utilities (the body-parser npm package and others), features the establishment of a Security WG, a Threat Model and welcomes discussions for Express Forward.

Headlines

​​Environment variables and configuration anti patterns in Node.js applications​ — Do you use .env.development ? or maybe _process.env[KEY]_ ? These are just a few of regular Node.js configuration anti-patterns I see in web applications this is a long post on them.

​​Best Practices for Bootstrapping a Node.js Application Configuration​ — A direct continuation to the above article, these are my opinionated best practices for managing configuration in Node.js applications.

​​​Profiling Node.js Applications​ — A well-rounded step-by-step blog posts on how to use the internal Node.js profiler, DevTools, the Node.js Inspector and the perf tool. Serving a good introduction to the scope of finding performance bottlenecks.

Deno 🦖 adds new Reference API docs​ - Clearly states Deno APIs, Web APIs, and Node.js APIs as reference documentation for Deno developers.

wow Coinbase just recently shelled $500,000 in their bug bounty program 😮💰

​​​Analyzing Real-World Node.js Command Injection Examples​.

​​errsole.js​ — An open-source and local-first logger dashboard for Node.js local development which is actually pretty genius because it’s the convenient way to scour through logs instead of reading terminal output.

🧠 Quiz: Does anyone want to take a guess on the multiple security vulnerabilities in this 2024 Node.js API REST tutorial? 🥱

📦 On npm

• ​redbird​ — A reverse proxy for Node.js.
• ​​fastify-kysely​​ — Plugin to share a common Kysely instance across Fastify.

New Security Vulnerabilities

• express found vulnerable to ​Cross-site Scripting​ 10 September 2024
• body-parser (Express related) found vulnerable to Denial of Service 10 September 2024
• express found vulnerable to Open Redirect 26 March 2024
• dset found vulnerable to Prototype Pollution 10 September 2024

FAQ: What is Prototype Pollution?

🔮 Node.js Tip of the Week

New Node.js feature is a fancy Deno-like process permissions model - Node.js has those built in with --experimental-permission flag

node --env-file=.env --experimental-permission server.js

Here’s how it looks like in practice:

💼 Hiring

• Riverside.fm hiring for Application Security Architect in Israel 🇮🇱
• Riverside.fm hiring for Senior Backend Engineer in Israel 🇮🇱
• Snyk hiring for TypeScript & Go Senior Software Engineer in Boston 🇺🇸
• Snyk hiring for TypeScript & Go Software Engineer in Boston 🇺🇸

general pattern for writing memory leak tests for specific functions/code

1. do a thing N times;
2. run GC;
3. record RSS;
4. do a thing N times again, 100 or 1000 times;
5. run GC;
6. record RSS;
7. If RSS at end - start > 5 MB or so, it leaks[​​
   ​ — Jarred Sumner, ​​July 6, 2024​​