A major npm registry vulnerability
#414 — November 18, 2021
GitHub on npm Ecosystem Security (and a Major Bug They’ve Fixed) — GitHub became the custodians of the main npm registry in 2020 when it acquired npm Inc. and in this post they share details on how they’re improving its security. Rather worryingly, they recently identified two issues, one of which meant an attacker could publish new versions of any npm package without proper authorization(!) GitHub assures us, however, it has not been “exploited maliciously” during the timeframe for which they have telemetry (September 2020 onward).
Mike Hanley (GitHub)
Migrating from Puppeteer to Playwright — Puppeteer is a popular Node library to remote control Chrome/Chromium browsers, whereas Playwright is a little broader and newer. This post digs through what you need to consider if you switch between the two.
A Complete Intro to Building For Real-Time — Join Brian Holt for this detailed course on building apps that can push client messages up to the server and talk in real-time. You’ll learn long polling, how to open web sockets, SocketIO abstraction, HTTP/2 Push, retry strategies, and more.
Frontend Masters sponsor
Announcing TypeScript 4.5 — Just two weeks after the RC comes the final release. What’s new? The formerly promised ES module support for Node is now merely experimental and in nightly releases only, but you also get the Awaited type, faster load times via Node’s realpathSync.native, import assertion support, and support for the lib setting for node_modules so you can update your types on your own terms.
Daniel Rosenwasser (Microsoft)
‘I Will Pay You Cash to Delete Your npm Module’ — Firstly, it’s a (sort of) joke, but the founder of sourcehut brings up an interesting point. He’s alarmed by huge trees of dependencies and wants to see people thinking about it, even if no money is involved.
How to Create Memory and Type-Safe Node Modules with Rust — We’ve mentioned Neon a few times before. It provides a way to write code in Rust that you can call from Node, and this tutorial provides a quick intro.
Using Node.js to Create An HTTP Proxy for IPFS Content — IPFS has some admirable goals, but it’s inaccessible for many users. See how to use Node to create an HTTP proxy to access IPFS content.
Find Tech Jobs with Hired — Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It’s free for job-seekers.
🛠 Code & Tools
Clinic.js 10: A Node Performance Diagnosis Suite — A tool to diagnose issues in Node apps with probes that collect metrics to assess the app and create recommendations. v10 adds Node 16 support. GitHub repo.
htmlparser2 7.2.0: A Forgiving HTML and XML Parser — Consumes documents and calls callbacks, but it can generate a DOM as well. There’s a live demo here.
Nodekeeper: A Lightweight Alternative to Nodemon — Like nodemon it monitors your app for changes and automatically restarts things, as you might want in development. There’s also an article on how it works.
Auto: Generate Releases Based on Semantic Version Labels on Pull Requests — A tool with the goal to make automated releases easy and without big changes to your workflow. GitHub repo.
browser-or-node 2.0: Figure Out Where Your Code is Running — Provides a simple way to tell if your code is currently running in a browser, in Node, in a Web Worker, or in Deno.
Execa 6.0: A Better child_process — A way to run external processes from your Node app. Has a Promise-based interface, better support for Windows, allows up to a 100MB max buffer (vs the 200KB child_process uses). Now a pure ES module.