Platformatic DB and other Adventures in Nodeland - Issue #78
Hi Everyone, I’m so proud that on Thursday we unveiled Platformatic DB to the world. It’s our first tool that we release as Platformatic. Check it out!
|
|
|
Are you looking to learn Platformatic DB? We’ll be at NodeConf.eu!
Releases
- fastify-mongodb v6.1.0 ships a refactoring to use the MongoDB promise APIs.
- mercurius-cache v3.0.0 fixes a bad bug that resulted in calling the resolver twice in cases of errors.
- readable-stream v4.2.0 updates the stream’s implementation to Node v18.9.0 and removes the requirement for bundler custom config.
-
fastify-csrf v6.0.0 adds a new
algorithmoption and set the default algorithm tosha256. - autocannon v7.10.0 accepts host header case-insensitively.
-
@fastify/csrf-protection v6.0.0 updates to fastify-csrf v6.0.0 to change the algorithm to
sha256. - fastify-cookie v8.3.0 add support for Buffer secrets.
-
fastify-swagger v7.6.1 fixes the type definition for
fastify.swagger{ yaml: true }). - fast-json-stringify v5.4.0 significantly improves cold start performance.
Articles I found interesting
- DNS rebinding in –inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (High) (CVE-2022-32212, CVE-2018-7160)
- HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (Medium) (improper fix for CVE-2022-32215)
- CVE-2022-32213 bypass via obs-fold mechanic (Medium) (CVE-2022-32213)
- HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) (CVE-2022-35256)
- Node 18 reads openssl.cnf from /home/iojs/build/… upon startup on macOS (Medium) (CVE-2022-32222)
- Weak randomness in WebCrypto keygen (High) (CVE-2022-35255)
- DNS rebinding in –inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (High) (CVE-2022-32212, CVE-2018-7160)
- HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (Medium) (improper fix for CVE-2022-32215)
- CVE-2022-32213 bypass via obs-fold mechanic (Medium) (CVE-2022-32213)
- HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) (CVE-2022-35256)
- Node 18 reads openssl.cnf from /home/iojs/build/… upon startup on macOS (Medium) (CVE-2022-32222)
- Weak randomness in WebCrypto keygen (High) (CVE-2022-35255)
In May 2021, I fixed a critical problem in the cross-site request forgery protection of Fastify: https://github.com/fastify/csrf-protection/security/advisories/GHSA-rc4q-9m69-gqp8. This fix took a few months, and I had to fork the csrf module too. The same problem affected all CSRF libraries in the Node.js world, however only a few issued CVEs for them. Snyk explains the attack in great detail:
What could be an edge against competitors? Building your own tool vs buying one from a vendor. In the following story from Wise, they explain how they built the first cloud-base card processing system.
SQLite for the win
At Platformatic we are huge fans of SQLite. In the next two articles, we recap what is status of the SQLite project and provide a glimpse of its future, and how could we use it as a distributed database.
If you are interested in SQLite, check out Platformatic DB tutorial: you’ll be creating an application to manage Movie Quotes!