Adventures in Nodeland - Issue #72

Hi folks, I’m sorry for the delayed send - yesterday it was a national holiday here in Italy and I went on a boat trip on the lake created by the dam of Ridracoli with my family. Our daughter loved it!

Fastify

• fastify-cli v5.0.1 fixes a bug introduced with the latest eject refactor. fastify-cli v5.1.0 makes the graceful termination timeout configurable.
• @fastify/cookie v7.4.0 integrate cookie-signature. @fastify/cookie v8.0.0 avoids decorating the application instance with signCookie and unsignCookie if a plugin secret was not set.
• @fastify/reply-from v8.2.0 replaces http-errors with @fastify/errors and fixes a typescript issue. The typescript change was reverted in v8.2.1.
• github-action-merge-dependabot v3.2.2 resolves a security vulnerability due to the @actions/core v1.9.0 dependency.
• fastify-plugin v4.2.0 adds generics for RawServer and TypeProvider.
• @fastify/nextjs v9.0.0 updates to the latest Next.js and Fastify versions.
• @fastify/under-pressure v8.0.0 updates dependencies.
• @fastify/postgres v5.1.0 Adding types to declaration merge for route transact option in typescript.

Pino

In v9 of pino-pretty, We drastically simplified the logged line from pino-pretty to focus on a development workflow by default; check it out!

pino v8.4.1 complete the fix done in v8.4.0 to support usage within worker_threads to pino.destination().

Node.js

• CRLF Injection in Nodejs ‘undici’ via Content-Type GHSA-f772-66g8-q5h3 CVE-2022-35948
• undici.request vulnerable to SSRF using absolute URL on pathname GHSA-8qr4-xgw6-wmr3 CVE-2022-35949

I’m always fascinated by what people can do with Open Source software, this week is a PR to Node.js that adds iOS as a compilation target: https://github.com/nodejs/node/pull/44210

News

What would it take to secure NPM against supply chain attacks? According to npm, strong cryptography and a ledger. Check it out:

New request for comments on improving npm security with Sigstore is now open | The GitHub Blog

Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.

github.blog

I find this interview with Sam Lambert of PlanetScale incredibly fascinating. Read up:

PlanetScale CEO on Cloud-Prem and Climbing the Engineering Ladder

Sam Lambert is CEO of PlanetScale, a MySQL-compatiable serverless database provider. Prior to joining PlanetScale (then as chief product officer), he was VP of engineering at GitHub. In this interview, Lambert discusses a number of topics related to cloud native software-delivery models, including what good serverless looks like, who should run Kubernetes, and the emergence of “cloud-prem” — a deployment model that combines the strengths of on-prem software and SaaS offerings.

future.com

Are you using JavaScript? Igalia was key to some of the amazing work TC39 has done over the years.

Faster page loads using server think-time with Early Hints - Chrome Developers

Remember HTTP/2 push? Early hints is the new take on the problem. It’s simpler, backward compatible and simple. It just works. Check it out!

developer.chrome.com

The biggest news is Deno doing a massive turnaround in its relationship with Node.js and npm, adding support for fetching modules from the npm registry. It’s a great win for the ecosystem!

Big Changes Ahead for Deno

Learnings from our recent survey and feedback from across our community. We’ll discuss how we’re addressing this feedback and the features to expect from Deno in the coming months.

deno.com