Archive

Hi Everyone, this week has been busy with new releases. The biggest news is a refactoring of Loaders in Node.js, allowing multiple chainable loaders to modify your source simultaneously. Other news is about multiple releases throughout the Fastify ecosystem. Check them out!

Fastify

• Fastify v4.2.1 was the result of the work of 17 people - 14 of which are first-time contributors! Those are mostly docs and bug fixes: every contribution is welcomed!
• fastify-bearer-auth v8.0.1 and v7.0.2 fix a vulnerability on how crypto.timingSafeEqual() was used, making it possible to guess the password length and enabling brute-forcing.
• @fastify/jwt v6.3.0 adds the types for using ES256 with a passphrase with TypeScript, replacing http-errors with @fastify/error. v6.3.1 adds the type for the decoratorName option.
• @fastify/rate-limit v7.1.0 adds the onExceeing and onExceeded callbacks. @fastify/rate-limit v7.2.0 allow the user choose the namespace of the redis.
• @fastify/express v2.0.1 removes a type export that was removed in v2.0.0
• @fastify/cookie v7.1.0 improves the typings and flips it back to use the original cookie module as they released a new version in April. v7.2.0 adds the signCookie decorator and utilities
• light-my-request v5.1.0 updates its typing to match @types/node for HTTP server. v5.2.0 adds supports for AbortController.
• @fastify/soap-client v2.0.0 contains the update to Fastify v4.

Pino

Hi Folks, how are you doing? I’m starting to plan the launch of some new OSS in the fall… I can’t wait to share it all with you. Anyway, here are my notes for last week!

Fastify

• mercurius v10.1.0 adds support for receiving headers from subgraphs and updates several dependencies.
• fastify-cli v4.3.0 adds support for JavaScript config files.
• @fastify/deepmerge v1.1.0 improves the module’s performance and adds an arrayMerge option.
• fastity-type-provider-typebox v2.1.0 adds a a new extremely fast validator built on top of TypeBox which boasts on average a +50% validations/s than Ajv.
• @fastify/csrf v5.1.0 brings improved performance and better typings.
• csrf-protection v5.1.0 updates to latest @fastify/csrf and moves to use the synchronous random bytes generators as it’s faster.
• fastify-cli v4.4.0 adds support for server options via ESM
• fast-json-stringify v5.1.0 replaces deepmerge with @fastify/deepmerge for additional performance and it fixes some validation issues for date/time as well as arrays.
• avvio v8.2.0 fixes a tricky bug that could cause a forked promise chain to wait for a loaded plugin. See this issue for the full context.

Node.js

Hi Everyone, another week has passed. I’ve been relaxing at my favorite beach in Milano Marittima as well as doing some Open Source development.

The videos from Openjs World 2022 have been released!

Hi Everyone, last week it has been busy with new releases and features. I’m currently at my favourite beach spot and focusing on OSS. This issue is a bit lighter than usual - let me know what you think!

If you are migrating from Node.js v16 to v18, check out the following article: there is a breaking change with unexpected consequences. Read this complete twitter thread:

Fastify

• fastify v4.1.0, which makes .redirect() and .callNotFound() “return reply”.
• fastify-sensible v5.1.0
• fastify-passport v2.0.1
• fast-json-stringify v5.0.0 - this release is preparing for a few fixes coming in Fastify v4.2.0 coming this week.
• fastify-isolate v0.3.2 adds the support for a stopTimeout option to delay the closing of the isolate.
• fastify-cli v4.2.0 ships a few bugfixes and adds a new option to generate the linter configuration.
• fastify-reply-from v8.1.0 ships a new feature to disable request logging.
• fastify-type-provider-json-schema-to-ts v2.0.0 bumps the json-schema-to-ts dependency to 2.0.0.

Hi Folks, last week was pretty intense for me! After 8 years, I left NearForm and sailed into the unknowns! I have something else already planned, and I’ll spend the next few months building some amazing Open Source Software for all of you to use. Stay tuned!

Fastify

• Fastify v4.0.3 that fixes quite a few regressions introduced in v4.0.0!
• fastify-http-proxy v8.0.2
• We are also planning a significant improvement in fast-json-stringify that removes a significant issue in the handling of complex Ajv schemas by using Ajv to resolve the schemas. Check out: https://github.com/fastify/fast-json-stringify/issues/468.
• fastify-swagger v7.4.0
• find-my-way v7 which drops supports for Node v12, v15 and v17.

Hi folks! Last week in Austin was a blast. I held one of the keynotes at OpenJS World 2022, delivered a talk and a workshop at the conference, facilitated two sessions at the OpenJS collab summit. Last but not least, I released Fastify v4! This edition is a bit a light on content as I was traveling - as usual let me know what you think!

Fastify

Hey Folks, I’m writing this after I landed in Austin for OpenJS World 2022. I’m really excited about meeting everybody in person after more than two years. In this issue you’ll find a few releases and a few quite interesting articles… including one on how NOT to do security research. Let me know what you think!

Fastify

Hi Folks, last week I have been traveling to Dublin to see some of my colleagues at Nearform and I had less time for OSS. Anyway this edition features quite a bit of releases and insightful news.

Do you like this newsletter? Would you like to sponsor it? Check out the new sponsorship page.

Hi Folks, this edition covers the upcoming Fastify v4 release and several other news in the Node.js and Open Source world. Let me know what you think!

Fastify

Hi Folks! May is going to be a very busy month with some traveling as well as many OSS releases and new announcements. I took a slightly new format for the release announcements.. let me know what you think!

The NodeConf.eu CFP is now open! Would you like to come to Ireland to speak at the most-awaited in-person event of the year?

Hi Everyone! In the last two weeks I have been traveling in the South of France with my family - I really needed a break. I’ve quickly assembled this edition composed of a few important releases and a lot of interesting articles. As usual, let me know what you think!

Fastify

Many developers ask the same question when joining the Fastify community: how do we know which modules are core and which one are ecosystem? We have listened and migrated all core modules to use the @fastify scope on npm. Read more at:

Hi Folks, in this edition we cover a new release of Fastify and Pino as well as TypeScript support for ESM modules. Check it out!

Two weeks ago I went to London for CityJS! You can watch my first talk on stage after 2 years at:

Fastify

Hi Folks! Another week has passed and we had a flurry of activity on Pino, Fastify and Mercurius! Last week I was back on the road to speak at CityJS Conference. After more than 2 years it felt amazing to be on stage!

Pino

Last week I have been on a journey to fix failing tests in CITGM. Some of the changes required a change in thread-stream’s flush() implementation to avoid release zalgo!

Hi Everyone! It’s time for another edition of Adventures in Nodeland, telling the latest stories of the Fastify & Node.js communities. Today we have quite a bit of news and articles, a new event we are launching, and a “fun” experiment with TypeScript targets. As usual, let me know what you think!

We are launching a new event on GraphQL! Check it out:

Hi Everyone! Focusing on Open Source has been incredibly hard last week and in this edition I’m mostly reporting amazing work done by others. There are also quite a few interesting article at the end, ranging from an amazing story of breaking into tech to Capital One using software I developed. Cheers!

Fastify

I’ve recently discovered star-history.com, a website that allows to compare the history of stars in GitHub projects. Interestingly enough, Fastify and Express are growing at the same rate. Why is this important? It’s not! It was just a fun fact to report.

This week we had two releases of fastify-websocket. I probably should have combined them together!

Hi Everyone, this edition is bittersweet. It’s packed with all the usual OSS releases and news that you got to enjoy, however the current world situation keeps me awake at night. I #StandWithUkraine.

Last week I was hosted in PodRocket, the podcast of LogRocket! We talked about Fastify, Pino and community building!

PodRocket - A web development podcast from LogRocket: Fastify and Pino with Matteo Collina

Matteo Collina is Chief Software Architect at NearForm, a member of the Node.js Technical Steering Committee, and the creator of Fastify and Pino. In this episode, we talk about making Node applications faster, Fastify v4, ORMs, npm downloads, and much more.

podrocket.logrocket.com

Technical Principles

Hi Folks, here is another edition of Adventures in Nodeland packed with great news and new releases. The biggest news is that Fastify has 91% developer satisfaction according to the State of JS survey. I find this result quite impressive - thank all of you for the support! On the release front… I shipped Fastify v4.0.0-alpha.1 on Friday! As usual, let me know if you have any questions!

Fastify

Last Friday I merged the next branch of Fastify with the main branch, officially starting the v4 release cycle with v4.0.0-alpha.1. The pre-release is pretty low on release notes, plugin support and migration guides. However all breaking changes are there. We will cut a release candidate soon!

Hi Folks, here is another edition of Adventures in Nodeland - where I tell the story of my endeavors in the world of Node.js development. If you would like to support my OSS work, check out my github sponsors profile.

I’m so happy to announce I will be delivering a Keynote at OpenJS World 2022 in June! I will be talking about JavaScript and building performant JS applications… today and in the years to come. Can’t wait to meet you all!

Hi Everyone! This edition includes a massive list of changes that have been worked on in the last weeks in Fastify and Pino. Thanks to our fantastic community, we have been able to ship all this work! This edition also feature a few articles covering OSS sustainability, Remix, and a few other very interesting takes. Enjoy!

This week I will be speaking at JS Poland about Fastify! Tune in at:

Hi Everyone, this edition covers a couple of personal milestones for me: being cited by HorseJS and opening up my GitHub sponsor account. We also include several releases ranging from Mercurius Cache to Pino.

My biggest milestone of this week is that… I been “horsed”! I’m so proud about it and it shows my greatest commitment to the JavaScript community in these years.

I decided to open up GitHub Sponsors because while a lot of my OSS is funded by @NearForm, I very often receive requests for bug fixes etc from people/companies that for different reasons cannot hire NearForm and yet they cannot fix bugs themselves.

Sponsor @mcollina on GitHub Sponsors · GitHub

GitHub is where people build software. More than 73 million people use GitHub to discover, fork, and contribute to over 200 million projects.

github.com

Hi Everyone,

In this back-to-work edition we feature only a few releases and Open Source work as I had some days off. However it covers quite a few interesting article ranging from some npm drama to GraphQL and web3.

See you next week!

The big shoutout this week goes to the hyperid module that got a new bug found and fixed… and I learned that RFC4648 covers how to encode base64 data in a url safe manner. Read more at:

Hi Everyone! I’ve missed an edition because I took a week off at the beginning of December - I was exhausted, this has been a tough year. In case you wonder, I have been to Rome and Florence!

We are back with our regular schedule and I hope to keep up with the newsletter over the holidays as well. As usual, let me know what you think

Being off for a week often means that no releases are shipped. I learned the wrong way to always release when you have time to fix your mess. So.. a lot of projects I maintain shipped something new last week. Check them out.

Fastify

Hi Everyone, as you read this I’m going to take a few days off with my family to recharge. You might or not find an “Adventures in Nodeland” edition in your Inbox next week - mostly dependent on how much time I would have.

This edition includes quite a bit of new releases and code that you might want to check out!

Mercurius

There was a significant release of Mercurius last week and it’s a patch release. In 8.10.0 we have introduced a new feature related to error handling.. and unfortunately we have introduced a significant regression that could cause process crashes on unwanted inputs. This release fixes it/

Hi Everyone! This edition of Adventures in Nodeland is packed with new releases - last week was very productive as I caught up with my OSS duties. Thanks for reading and let me know if you have any question!

I’m very excited to be speaking at GraphQL Galaxy about my implementation of GraphQL caching. It is still a work in progress but we have already seen massive performance improvements in a few production cases! Watch the talk!

Hi Folks! These weeks are quite busy with the typical end-of-year work and I am not doing as much Open Source as I would like. However

I’m so happy to announce that I will be back speaking at an in-person event the next March! I’m still preparing the abstract… what would you like me to talk about?

Haven’t you listened to the “JS Party” about Fastify and Pino? If you haven’t you should definitely check it out, we had a lot of fun recording this!

I have been working to make Fastify fully support Node v17… and I found a bug in Node! This means that Fastify will support Node v17 once this is fixed. In case you are curious, here is the PR:

Hi Everyone! Another week in this “impossible” November has passed - my current workload is very high at the minute.. I hope the content you’ll find this week is quite interesting.

Mercurius

I have been preparing a new talk on GraphQL caching and I assembled some benchmarks on the impact a “simple” solution like the one in mercurius-cache implement can make a difference in your GraphQL deployment. The “easy” improvement you can get is 4x, which is pretty impressive:

Here is the PR adding the benchmark. Note that the PR had a bug / the time was incorrectly represented as milliseconds while it was seconds instead.

Hey Everyone, another week in Nodeland has passed! This edition covers some improvements on npm, two fastify releases and a pino release!

After a couple of modules were released with Windows virus included, last we are now debating about disabling postinstall scripts by default in npm pacalges. I believe this is a great step we should take. Read the RFC… will the npm team implement it?

Hi Everyone! Thanks for keep reading this weekly newsletter on my open source endeavors. This week edition is centered on a new supply chain vulnerability affecting a lot of languages/compilers/runtimes, a new feature coming in Fastify v4 and some docs for pino.

A new week start and a new supply chain attack become possible. This one is a tricky, subtle one that attacks humans by making the code they read different from the code it is excuted. Read up the paper at:

Then the GitHub response to it:

Hi Everyone! This edition is all about NodeConf and Node v17. I have been visiting Milan last week, it has been pretty amazing to relax after an hectic NodeConf week!

After I published a picture on social media about me being in Milan I met up with Tomas (the other Fastify lead dev) who was passing though Milan by chance. What an encounter: last time we saw each other in person was over two years ago in Austria for WorkerConf!

The next bit of news is that my NodeConf talk “Multithreaded logging with Pino” is now on Youtube together with all the others. Check it out:

Hey Folks, last week has been hectic! I have been the champion for the Node.js security release of the 12th of October and I shipped pino@7.0.0. Next week is NodeConf week, are you registered and ready?

I have probably written about how excited I am about the new Pino release since the beginning of this newsletter. The cat is out of the bag now, check it out, open issues and pull requests. There is likely a lot to fix!

Hey Noders! Last week have been dedicated to Security work and the finalization of pino@7.. as well as reading a few very interesting articles! Thanks for following along.. and let me know what you think of this issue!

October 12th 2021 Security Releases | Node.js

Node.js® is a JavaScript runtime built on Chrome’s V8 JavaScript engine.

nodejs.org

I’m starting this edition of Adventures in Nodeland by reminding you to upgrade your Node.js on Wednesday 13th.. as a set of vulnerability fixes will be released for all LTS lines. I’m running point for this release train.. let’s see how it is going!

Hi Everyone! Last week have been incredibly busy between NodeConf preparations, the upcoming Pino@7 release and Node.js maintenance.

If you like this newsletter, you should watch NodeConf Remote! Register using the above link, it’s free.

Hi Everyone,

What happen in Nodeland last week? Plenty! I’m currently very busy on Pino, NodeConf, a few Node.js improvements and a few Fastify releases as I botched a change a couple of weeks ago. Interested? Read through!

Only 3 weeks to NodeConf! Are you ready? Sign up, it’s going to be amazing!

Hi Everyone,

Last week I have been busy doing Open Source, leading projects, organizing NodeConf and the Italian NearForm meetup. There are a few new releases to talk about, so let’s dive in…

…litterally! Last weekend a few colleagues at NearForm traveled from all over Italy, France, Portugal and Serbia to Milano Marittima for a retreat! It has been an amazing experience. This is probably the part of of NearForm I missed the most: meeting people from all over the places and spend some quality time with them. If you are interested in participating in the next meetup, check us out at!

Hi Folks,

I’m back from Austria after some time with my family! Last week has been incredibly busy Node-wise. and I can’t wait to share it all with you.

Pino

We have worked pretty hard in finishing off pino@7 and we have now reached the 4th release candidate. There is likely some more work to do, but this release looks incredibly solid. The goal is to encourage most people to use the new transport system for most of their work.

Hi Folks,

I’m sorry for the delay - I’m currently in the Austrian Alps with my family! Last week has been a bit hectic and I did not accumulate much Open Source work as it was a back-to-work week for most people.. and I had to focus on Node.js Core security work.

I have recently found that this version of one of my best talks ever “Stream Into the Future” has almost 30 thousands view on youtube! I’m sincerely impressed, thank you all for watching it. If you have not watched this, it’s a really instructive talk on the “future” of Node.js streams at the time… however we have mostly implement all of what I mentioned in the talk, I guess I should do a new stream talk! Would you be interested?

Hello Folks!

Welcome to Adventures in Nodeland, the newsletter where I cover my Open Source activity of the last week, as well as some interesting articles I stumble on Tech Twitter.

The first Pull Request I would like to highlight is the new error handling of Fastify@4 which will be released in the coming months. We will finally enable you to nest error handler in plugins and support throwing in them to break out of the encapsulation jail. The result is that you can handle your errors as close as possible to their throwing point.

Hi Folks, this week I’m in the mountains with my family :)! I’ve been a bit late in preparing everything for this issue that sum up last week… I hope you will like it nevertheless! There might be a lighter issue next week.. we’ll see!7

Pino

We finally released the first (and second) release candidates of Pino v7. It includes a new transport system built on top of worker threads. Check it out!

Hey Everyone, this is a new edition of Adventures in Nodeland that focus on… Caching! We will cover an old module, a couple of new modules, and a few interesting articles. Enjoy!

I’m always surprised when I go back to an old module and see how well engineered something is. In this case, I would like to cover fastify-etag.

Hey Folks! Last week I have been on a nearby beach with Zoe relaxing, so not much Open Source time… but I still have a few goodies to show! Check them out.

EcmaScript 2021 has been approved and it contains a few features I love. WeakRefs and FinalizationRegistry are a fundamental stepping stone to implement old & new APIs in a safe and not memory-leaking way. I can’t wait to use them more… and you can now because they are already in Node.js v14+. We use them in Undici v4 to make sure we do not leak memory on an edge case: https://github.com/nodejs/undici/blob/0f5637d6194c8662f707158b3973c4cdd92404de/lib/compat/dispatcher-weakref.js.

News from the Interwebs

Are we returning to the office? Or is the future remote? - Andreessen Horowitz

Work during COVID has underscored how distributed teams working remotely can be effective and accelerated the shift from the way we worked in the industrial age to optimizing how we work for the information age.

a16z.com

Hi Everyone! What happened in Nodeland this week? Undici v4, more typescript, and many more things

Undici v4 is out! I am so happy we finally shipped the new version. There is a bit of its story in this newsletter: I think you’ll like to announcement blog post.

Hi Everyone! What happened in Nodeland this week? Me writing some typescript, more videos and React 18!

I want to start this week by celebrating a pull request that I wrote for Undici. I was reading a bug related to our types…. and I knew how to fix it. It clicked, and I jumped into Vim straight away as I wanted to practice my TypeScript. After a couple of iterations, I landed on the Interceptable type. All that time spent helping and reviewing the TypeScript work by Ethan, Igor and many others helped a lot. Thank you, folks.

If you are interested in the PR, here it is:

Added an Interceptable type by mcollina · Pull Request #826 · nodejs/undici · GitHub

Fixes #824

github.com

Hi Folks! This week there is a slightly reduced edition due to some needed stress-relief vacation. After almost 5 months without a break, I needed a few days to recharge and play with my daughter Zoe.

My talk at RedisConf 2021 has been finally published on Youtube! I am incredibly proud of this work. I wrote about it in Issue 2 of this Newsletter! If you use ioredis, this is a must-watch as autopipelining could improve your database throughput by 2-3x.

Is the cloud worth it?

Hi Everyone! What happened in Nodeland this week? A few new releases, interesting discussions and new features in Fastify, Pino and Node.js!

In the above Twitter thread, I talk about a day in my life as a maintainer of more than 400 modules… it’s quite a different experience in our JavaScript ecosystem than most application developers are used to.

Good reads

The article I would like to highlight this week is a piece that was mentioned during one of our internal meetings at NearForm, on learning how “saying no” can prevent scope creep in our projects:

Hi Everyone! Another week has passed and it came with so many important Open Source contributions in the communities I participate in: Pino, Fastify and Node.js Core. Check them out!

Pino

I already wrote extensively of the new transport system in Pino@7 that we are developing at https://github.com/pinojs/pino/pull/1003: it will allow you to create in-process transport similar to Winston or Bunyan, with no overhead on the main thread, as they will run inside a worker thread.

One of the biggest challenges of this approach is handling the shutdown of the process correctly. Two cases cause Node.js to exit: it can exit naturally if there are no more asynchronous things to do or manually by calling `process.exit(code)`. For the first case, we are calling unref() on the Worker thread to let the process exit even if the transport thread is running. In the second case, we thought of adding a handler to the `‘exit’` event to gracefully shut down the worker and ensure that all log messages are delivered independently of the status of the main thread. However, this approach had a significant obstacle to overcome: the `‘exit’` handler must be synchronous.

Hi Folks! Another week as passed and I’m going to list what I saw happening in Nodeland. First, we have an interesting puzzle with AsyncI terators, then a few bits of content, a (tough) security vulnerability with CSRF, and a job post that list Fastify as part of their stack! I really like this issue, I hope you can enjoy it as well.

I have always been a huge proponent of Async Iterators as a standard way to model streaming data. Async iterators are easier to understand and use compared to all the streams primitives on both the Web and Node.js. Even if they are simple to use and create, you still need to be aware of what is happening underneath.. as all I/O abstractions are leaky. Read up in this twitter thread:

Why is it relevant? The snippet above assumes that each async iterator could be completely disposed by the garbage collector. In Node.js, this is not the case if the async iterator wraps a native resource, such as a file descriptor, a Node.js Stream. Therefore, you need to manually dispose of files and sockets (and any other native resources).

Why was Node.js implemented in this way? The garbage collector is non-deterministic, therefore it’s not possible to rely on it to close native resources as soon as they are out of scope: if we supported this case, they could be left lingering in memory for a long time, leading to hard to debug “EMFILE” errors (the kernel error that is returned if the process cannot create more files).

Undici v4 is coming… and we have fix a really hard bug! This week newsletter is focused on a few key bugs I fixed along the way and a few relevant articles that popped up in my twitter feed.

I almost dropped out of the Open Source community because of the entitlement that user feels, and how bad they treat their maintainers. I call them “Open Source Vampires” and I’m extremely aware of their danger to all the communities we old dear.

In the following blog post Bret explores the topic in great length, take a read:

The social contract of open source

Even though I gave a keynote with an accompanying blog post all about setting expectations for open source participation, I felt it was time to do another blog post to directly address the issue of entitlement by some open source users which is hurting open source, both for themselves and

snarky.ca

Hi Everyone! Last week has been a flurry of activity on all Open Source projects I’m maintaining - check them out!

Mercurius

Hi Everyone! Last week has been an issue

I would like to thank Nader to have created such an amazing meme. Thank you so much!

Node.js v16.0.0 is here!

We shipped Node.js v16.0.0! I’m proud of this release that ships quite a few much-needed deprecations as well as the stabilization of the new promise-capable timers. Read more at https://nodejs.org/en/blog/release/v16.0.0/. The most important news is that this release will provide a “fat binary” to support both Intel and Apple Silicon Macs! Due to some incompatibilities with previous versions, it will not be backported to v14 so we recommend all Apple Silicon users to migrate as soon as possible.

Hi Everyone! I’ve started a newsletter to share my thoughts on technology, the advancements of Node.js and to keep all of you up-to-date of what I’m working on. This newsletter might be weekly, biweekly or monthly… we’ll see how it evolves in the coming months.

Software Architecture

Why AWS Lambda Pricing Has to Change for the Enterprise

Enterprises can gain significantly from the scalability of FaaS - yet a price comparison between EC2, Lambda, and Fargate, the AWS-managed container service reveals an ugly truth.

www.infoq.com

I would recommend everybody to read the article above when deciding to use AWS Lambda for your next project. The article compare the pricing cost of AWS Lambda against Fargate, EC2 and EC2 spot instances. The article is technology-agnostic and it focuses on spinning up containers/apps for CPU-intensive tasks. The outstanding result of this analysis is that AWS Lambda is 2.4 more costly than AWS Fargate, and 7.1 compared to EC2.