November 8, 2021
Adventures in Nodeland - Issue #34
Hey Everyone, another week in Nodeland has passed! This edition covers some improvements on npm, two fastify releases and a pino release!
After a couple of modules were released with Windows virus included, last we are now debating about disabling postinstall scripts by default in npm pacalges. I believe this is a great step we should take. Read the RFC… will the npm team implement it?
|
Install scripts that can run just about anything by default pose some pretty serious security considerations, and these are inreasingly moving out of the theoretical realm and becoming actively exploited. See for example here: https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/.
At the same time, we have developed better techniques for many of the most common use cases for install scripts in the many years since npm originally included then. In particular, N-API offers a compelling alternative to binary packages that are built on the users’ computer. However, even before this, many packages are choosing to just pre-build for multiple platforms ahead of time to handle most of the common installation targets and make the install process easier on the user in general.
Instead of by default always running the install scripts (preinstall, install, postinstall, prepublish, preprepare, prepare, postprepare) if they are present during the install process, provide flags to require users to explicitly allow them to run, either whoelsale as “one big switch”, or on a package by package (and optionally version by version) basis. Also provide matching npm config options to do the same globally and permanently instead of on every install.
|
|
Install scripts that can run just about anything by default pose some pretty serious security considerations, and these are inreasingly moving out of the theoretical realm and becoming actively exploited. See for example here: https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/.
At the same time, we have developed better techniques for many of the most common use cases for install scripts in the many years since npm originally included then. In particular, N-API offers a compelling alternative to binary packages that are built on the users’ computer. However, even before this, many packages are choosing to just pre-build for multiple platforms ahead of time to handle most of the common installation targets and make the install process easier on the user in general.
Instead of by default always running the install scripts (preinstall, install, postinstall, prepublish, preprepare, prepare, postprepare) if they are present during the install process, provide flags to require users to explicitly allow them to run, either whoelsale as “one big switch”, or on a package by package (and optionally version by version) basis. Also provide matching npm config options to do the same globally and permanently instead of on every install.
|
I’m incredibly happy that after 194 releases of Fastify we can still fix some “bad” bugs that could potentially lead to a crash. Fastify v3.23.0 is such a release: Davide Fiorello who is currently working on one of “my” projects at NearForm identified and quickly fixed it. Thanks!
|
Fast and low overhead web framework, for Node.js. Contribute to fastify/fastify development by creating an account on GitHub.
|
|
Fast and low overhead web framework, for Node.js. Contribute to fastify/fastify development by creating an account on GitHub.
|
You can read more about the actual problem at:
Adds a check on the existence of the request socket before accessing the attributes. It should fix #3419.
|
The above condition can happen if the incoming socket is destroyed before the server could respond.
Unfortunately that release/PR did not fix all the problems, so we got v3.23.1 shipped in a hurry! Here are the two links:
|
Fast and low overhead web framework, for Node.js. Contribute to fastify/fastify development by creating an account on GitHub.
|
|
Fast and low overhead web framework, for Node.js. Contribute to fastify/fastify development by creating an account on GitHub.
|
|
Adds a check on the existence of the request socket before accessing the attributes, in a previous commit was missed a check.
|
|
Adds a check on the existence of the request socket before accessing the attributes, in a previous commit was missed a check.
|
The v7.1.0 release of pino brings quite a few improvements to thread-stream (v0.12.0) and it starts reporting a deprecation warning if pino.final() is used in Node v14. We have also improved our docs quite a bit!
🌲 super fast, all natural json logger. Contribute to pinojs/pino development by creating an account on GitHub.
|
My colleague Paolo Insogna has also been busy in adding support for bundlers for pino.transport(). More news to come next week!
Last week big news has been Apollo GraphQL announcing Federation v2 with a few novelties… and a license change! A few libraries of their stack are moving to the “Elastic License”. You can read about in two following articles:
|
We build the Apollo Graph Platform to help developers unify GraphQL across their apps and services.
|
|
We build the Apollo Graph Platform to help developers unify GraphQL across their apps and services.
|
|
We build the Apollo Graph Platform to help developers unify GraphQL across their apps and services.
|
|
We build the Apollo Graph Platform to help developers unify GraphQL across their apps and services.
|
I think this news is bittersweet. I understand their reasoning behind this change, however I think the GraphQL community will suffer from this change. You can read a counterargument at:
Gather around, my friends, for there is another company which thinks we are stupid and we enjoy having our faces spat in. Apollo Federation has announced that they will switch to a non-free license.
|
Do you know how database indexes work? You should! In the era of “metered” databases, a wrong query can cost you a small fortune. Read up:
How we got here At Superwall we’re building an SDK to help App Developers increase their revenue by showing the right offer to the right person at the right time. To deliver this service, we need to keep track of all of our customer’s users, the end users.
|
Redis is one of my favorite databases as it allows all sort of amazing data structures.
|
Redis is one of the most powerful and versatile pieces of technology I’ve come across. Sadly, most people only know it because it makes for a good caching solution.
|
|
Redis is one of the most powerful and versatile pieces of technology I’ve come across. Sadly, most people only know it because it makes for a good caching solution.
|
