OpenJS World 2022 and other Adventures in Nodeland - Issue #62

Hey Folks, I’m writing this after I landed in Austin for OpenJS World 2022. I’m really excited about meeting everybody in person after more than two years. In this issue you’ll find a few releases and a few quite interesting articles… including one on how NOT to do security research. Let me know what you think!

Fastify

The wait for Fastify v4 is almost over and we are ready to ship it. We had a few bugfixing releases as well as some major refactoring in fast-json-stringify:

• fastify v4.0.0-rc.4 and v4.0.0-rc.5
• @fastify/swagger v6.1.0
• find-my-way v6.3.0
• fast-json-stringify v4.0.0

Pino@8!

pino v8.0.0 with a few changes:

• drop support for Node v12
• asynchronous logging by default
• support for Error.cause
• drop of all previous deprecations

sonic-boom v3.0.0

thread-stream v1.0.0

pino-pretty v8.0.0

Node.js

We shipped undici v5.4.0 that resolves the Headers issue about forbidden headers: we decided to deviate from the spec and allow all headers. Read more at https://github.com/wintercg/fetch/issues/6.

Last week npm disclosed a very important vulnerability CVE-2022-29244 that could have lead to secrets being shipped within packages when using npm workspaces. Please update your node and npm installations, they have all been patched already.

News

What are components? Could we live in a component-less future? Read up the point of view of Ryan Solid:

Components are Pure Overhead

A couple of years ago in the The Real Cost of UI Components, I explored the cost of components in JavaScript frameworks.

ryansolid.medium.com

Firecracker is exploding on its own little ecosystem. Check out how Stripe has been using it to create a fast and secure build system.

Security researchers should NOT perform supply chain attacks to prove their theories. However that’s essentially what happened in the PHP community and what has caused all teams to scramble and update the their systems. Read up:

How I hacked CTX and PHPass Modules

All this research DOES NOT contain any malicious activity. I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.

sockpuppets.medium.com

If you are an heavy-duty OSS maintainers, you have no time to waste. Most of us now require a minimal reproduction before engaging in an issue. Check out Anthony long explanation:

If you are working at a tech firm and you would like to be promoted, you should really assess what kind of documentation you would need for that promotion. What lesson could we learn? If something did not have an impact, then it’s not important for your career and you can actually avoid it. Read the full article:

Why I Quit Google to Work for Myself

13-minute read For the past four years, I’ve worked as a software developer at Google. On February 1st, I quit.

mtlynch.io

If you have a background in Security, you might want to apply to the Alpha-Omega position.

Partners

• This Week in React: the best of React & React Native news. Sebastien filters the noise, and you save time!

Do you like this newsletter? Would you like to sponsor it? Check out the new sponsorship page.