​A Brief Introduction to Command Injection Basics in Node.js​ — If you’re new to Command Injection, learn the basics of what this security vulnerability is about and the risks involved, referencing real-world incidents, and following best practices.

Headlines

​​Setting the standards for ESM and CJS​ — A conversation on the core Node.js repository with a proposal to provide best practices for publishing npm packages with ESM and CJS compatibility.

​​Is Corepack going away?​ — If you missed a small trivia detail on Node.js - it bundles corepack, a capability to manage package managers. Yep, you read that right. Should we remove it now from Node.js core? Join in on the ongoing conversation.

​​Learn Platformatic’s AI Warp to create OpenAI powered applications​ — This step-by-step guide goes through a React and Node.js application setup on-top of Platformatic new AI Warp scaffold project to build new GenAI powered applications with an OpenAI integration.

Platformatic also raises 4.3M 💰 in another funding round to address Node.js challenges. Congratulations to Matteo and Luca 👏.

​​Fastify published v5 with many updates 🎉

​​Test your packages before publishing with pkr.pr.new ​ — StackBlitz published a new toolchain to allow for preview releases of npm packages without releasing them to the npmjs registry.

🧠 Pop quiz: is this code vulnerable to SQL injection? A good ​discussion​ on SQL syntax, abstraction, and the impact on security:

📦 On npm

• ​​vuln-regex-detector​​ — This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be “vulnerable”: susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (ReDoS).

• ​​git-secrets​​ — Prevents you from committing secrets and credentials into git repositories.

❗ New Security Vulnerabilities

• rollup CVE-2024-47068 found vulnerable to Cross-site Scripting, 24 September 2024
• @directus/api CVE-2024-46990 found vulnerable to Server-Side Request Forgery, 19 September 2024
• find-my-way CVE-2024-45813 (popular Node.js router package) found vulnerable to Regular Expression Denial of Service, 19 September 2024
• next CVE-2024-46982 found vulnerable to Cache Poisoning, 18 September 2024
• @backstage/plugin-catalog-backend CVE-2024-45815 found vulnerable to Prototype Pollution, 18 September 2024

🔮 Node.js Tip of the Week

New Node.js feature is experimental Node.js test runner capability

Now you can also include coverage reports using the Node.js native test runner with --experimental-test-coverage

node --experimental-test-coverage --test ./tests

💼 Hiring

Companies hiring for Node.js / JavaScript / TypeScript roles:

• Bun hiring for Developer Experience Engineer in San Francisco, United States 🇺🇸
• Snyk hiring for Developer Experience Engineer in London, United Kingdom 🇬🇧
• Vercel hiring for Developer Experience Engineer in Remote, United States 🇺🇸
• NearForm hiring for Senior Developer in Remote, Italy 🇮🇹
• Contentful hiring for Senior Software Engineer - TypeScript and Node.js in Denver, United States 🇺🇸
• Webflow hiring for Senior Software Engineer in Remote, United States 🇺🇸
• Fireflies.ai hiring for Full stack Engineer in India 🇮🇳, Turkey 🇹🇷, Singapore 🇸🇬
• Calendly hiring for Staff Full stack Engineer in Remote, United States 🇺🇸