Custom ESM Loaders, Fastify v4.2.1, Undici security release and other Adventures in Nodeland - Issue #68

Hi Everyone, this week has been busy with new releases. The biggest news is a refactoring of Loaders in Node.js, allowing multiple chainable loaders to modify your source simultaneously. Other news is about multiple releases throughout the Fastify ecosystem. Check them out!

Fastify

• Fastify v4.2.1 was the result of the work of 17 people - 14 of which are first-time contributors! Those are mostly docs and bug fixes: every contribution is welcomed!
• fastify-bearer-auth v8.0.1 and v7.0.2 fix a vulnerability on how crypto.timingSafeEqual() was used, making it possible to guess the password length and enabling brute-forcing.
• @fastify/jwt v6.3.0 adds the types for using ES256 with a passphrase with TypeScript, replacing http-errors with @fastify/error. v6.3.1 adds the type for the decoratorName option.
• @fastify/rate-limit v7.1.0 adds the onExceeing and onExceeded callbacks. @fastify/rate-limit v7.2.0 allow the user choose the namespace of the redis.
• @fastify/express v2.0.1 removes a type export that was removed in v2.0.0
• @fastify/cookie v7.1.0 improves the typings and flips it back to use the original cookie module as they released a new version in April. v7.2.0 adds the signCookie decorator and utilities
• light-my-request v5.1.0 updates its typing to match @types/node for HTTP server. v5.2.0 adds supports for AbortController.
• @fastify/soap-client v2.0.0 contains the update to Fastify v4.

Pino

thread-stream v2.0.0 changes developers should handle errors. If called an asynchronous method, the error will be emitted in a subsequent tick and not thrown. Pino v8.2.0 ships with the updated thread-stream v2.0.0.

Node.js

• Undici v5.7.0 ships with an updated llhttp, faster body mixins, and it brings back support for the “old” Node.js v16.8.0.
• 0x v5.4.0 fixes an issue when doing cross-device file linking.

News

Node.js v18.6.0 that shipped last week included a new amazing feature: chainable loaders. Read more about them from Jacob, one of the minds behind this feature:

Here is an evergreen question: should you be able to roll back a change or “migrate down”? The generic answer seems to be that you cannot roll back changes or rewind history.

You Can’t Have a Rollback Button

I’ve worked with deploy systems in the past that have a prominent “rollback” button, or a console incantation with the same effect. The presence of one of these is reassuring, in that you can imagine that if something goes wrong you can quickly get back to safety by undoing your last change.

blog.skyliner.io

The OpenJS Foundation has published the first report of the funding from the Alpha-Omega project to keep Node.js secure. Read more at: