Adventures in Nodeland - Issue #7 - I have become a meme! Welcome Node v16!
Hi Everyone! Last week has been an issue
I would like to thank Nader to have created such an amazing meme. Thank you so much!
Node.js v16.0.0 is here!
We shipped Node.js v16.0.0! I’m proud of this release that ships quite a few much-needed deprecations as well as the stabilization of the new promise-capable timers. Read more at https://nodejs.org/en/blog/release/v16.0.0/. The most important news is that this release will provide a “fat binary” to support both Intel and Apple Silicon Macs! Due to some incompatibilities with previous versions, it will not be backported to v14 so we recommend all Apple Silicon users to migrate as soon as possible.
This new release also ships a new version of llhttp that is significantly more strict about HTTP parsing, removing the previously called “lenient mode”. However this broke undici@3.x and therefore mercurius and fastify that both use it, albeit in different ways. This was quickly resolved in https://github.com/nodejs/undici/pull/754 and then I shipped fastify@3.15.0 to officially support Node.js v16.
Rember that Node.js v10 will go out of support at the end of April 2021. As there are just a few more days to go, you must start your update now as it might take up to a few weeks to update all your code and dependencies.
OSS life!
One of the recurring topic of my readings has been the ongoing debate between cloud providers and Open Source vendors, as you might be aware Elastic changed the licensing of ElasticSearch to SSPL. Grafana is following suit in relicensing,
Do you wonder why all of those are possible? Because all the previous contributions are being submitted with a Contribution License Agreement (CLA) to a commercial entity. If the project you love has one that does not license it to a Foundation, then be certain that it is a commercial product and they might change the licensing at their whim. (There is nothing bad about building a commercial product! Be transparent about it but… would you send a contribution to somebody else’s commercial product?)
Security
As you might have become familiar, I took a close interest in the evolution of Github Actions as they have been under the security storm and they have been great in rolling incremental improvements week after week. the first of the two changes that shipped last week aims to improve the developer experience and tighten security at the same: you can now specify the individual permission for each of our workflows and jobs.
The second change that shipped last week is related to preventing potential attackers: we Open Source maintainers will need to authorize new contributors to run the workflows defined inside a project. While this is a minor annoyance, it helps to protect the infrastructure and the projects. Thanks github!
The last news in security is a major security leak in the popular codecov service. If you are using codecov within any repo with secret access, you must perform an audit and in case rotate those secrets.
This data leak affected Hashicorp and terraform as the GPG key used to sign the Terraform binaries leaked. While there are no evidence of misuse, this could have had massive consequences:
NearForm is hiring!
Life at NearForm is incredibly busy… we are growing at really high pace and we plan to onboard around 20 more team members in the coming months. In case you are looking for a new challenge in professional services, check out the available roles:
If you are interested, I’m always available to chat about what would mean to work for NearForm. My twitter DMs are open.
Thanks!
This newsletter has surpassed 700 subscribers and I’m totally stunned by how many of you would like to read up from the rumblings of a long-time Node.js enthusiast!