​​Poor Express Authentication Patterns in Node.js and How to Avoid Them​ — Reviewing several insecure defaults that are common mistakes in Express and Node.js web application framework setup and route controllers.

Headlines

​​Node.js Security disclosure guide​ — What is considered a vulnerability in the Node.js runtime? an update to disclosing vulnerability information features The Node.js threat model.

​​​Node.js Security initiatives selected for 2024​ — Rafael Gonzaga shares the highlights of the security working group. This is a great opportunity to join if you are looking to contribute to open-source.

​TC39 Type Annotations coming to Node.js?​ — Marco Ippolito adds initial support for –experimental-strip-types, allowing for native TypeScript code in Node.js core (also known as Type Annotations, ​originally proposed​ by Gil Tayar).

🧠 Quiz: can you find the vulnerability waiting-to-happen?

It is a ​Node.js data validating tutorial​, of all things, and does well to focus on performing input validation in the route controller (good job, author!), but I was missing the main keyword “NoSQL injection” through-out the entire article.

🤔 A Node.js tutorial in 2024: importing the slow bcryptjs, mixing middleware callbacks with promises and Promise thenables (not in the screenshot)… makes me think, should we establish modern Node.js development guidelines as a semi-official proposal?

​​patch-package​ — A tool in experienced Node.js engineers arsenal is patch-package, an npm package that allows to easily maintain patches for upstream packages by applying git patch diffs straight in your node_modules directory.

📦 On npm

• ​​@fastify/vite​​ — Cleanly and elegantly integrate Fastify and Vite to create a minimal, low overhead, blazing fast setup for full stack monoliths.
• ​​fastify-html​​ - From Matteo Collina himself — generate html in the most natural Fastify way, using template tags, layouts and the plugin system.

❗New Security Vulnerabilities

• ghost found vulnerable to CVE-2024-43409: Improper Access Control, 21 Aug 2024
• @gurgunday/html template engine found vulnerable to CVE-2024-37166: Cross-site Scripting, 19 Aug 2024
• directus API and headless CMS found vulnerable to CVE-2024-6534: Authorization Bypass, 16 Aug 2024
• react-rps-boilerplate is actually a malicious package, I hope you didn’t install it 😅

🔮 Node.js Tip of the Week

Ditch __dirname and its alternatives.

Node.js v20.11.0 and Node.js v21.2.0 with built-in support for import.meta.dirname and import.meta.filename.

💼 Hiring

• Monday hiring for Cloud Infrastructure Security Team Lead in Tel Aviv 🇮🇱
• Snyk hiring for Software Engineer - Security Intelligence in Tel Aviv 🇮🇱
• Snyk hiring for Full Stack Software Engineer in Bucharest 🇷🇴
• ebay hiring for Senior Fullstack Engineer in Kleinmachnow 🇩🇪

Most developers ignore the fact that they have the skills to debug/fix/modify their dependencies. They are not maintained by unknown demigods but by fellow developers.

— Matteo Collina, ​July 3, 2024​​

Don’t Miss Out — Register for NodeConf EU 2024 at Waterford Castle! ☀️

NodeConf EU speakers are among the best in the Node.js community, chosen for their exceptional contributions and groundbreaking work.

Here’s what you can expect:

• Cutting-Edge Talks: Explore the latest trends and best practices in Node.js.
• Hands-On Workshops: Enhance your skills with practical, interactive sessions.
• Networking Opportunities: Connect with fellow enthusiasts, industry leaders, and professionals.
• Unforgettable Fun: Enjoy a perfect balance of learning and entertainment.