Platformatic DB and other Adventures in Nodeland - Issue #78

Hi Everyone, I’m so proud that on Thursday we unveiled Platformatic DB to the world. It’s our first tool that we release as Platformatic. Check it out!

Are you looking to learn Platformatic DB? We’ll be at NodeConf.eu!

Releases

• fastify-mongodb v6.1.0 ships a refactoring to use the MongoDB promise APIs.
• mercurius-cache v3.0.0 fixes a bad bug that resulted in calling the resolver twice in cases of errors.
• readable-stream v4.2.0 updates the stream’s implementation to Node v18.9.0 and removes the requirement for bundler custom config.
• fastify-csrf v6.0.0 adds a new algorithm option and set the default algorithm to sha256.
• autocannon v7.10.0 accepts host header case-insensitively.
• @fastify/csrf-protection v6.0.0 updates to fastify-csrf v6.0.0 to change the algorithm to sha256.
• fastify-cookie v8.3.0 add support for Buffer secrets.
• fastify-swagger v7.6.1 fixes the type definition for fastify.swagger{ yaml: true }).
• fast-json-stringify v5.4.0 significantly improves cold start performance.

Articles I found interesting

1. DNS rebinding in –inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (High) (CVE-2022-32212, CVE-2018-7160)
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (Medium) (improper fix for CVE-2022-32215)
3. CVE-2022-32213 bypass via obs-fold mechanic (Medium) (CVE-2022-32213)
4. HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) (CVE-2022-35256)
5. Node 18 reads openssl.cnf from /home/iojs/build/… upon startup on macOS (Medium) (CVE-2022-32222)
6. Weak randomness in WebCrypto keygen (High) (CVE-2022-35255)

In May 2021, I fixed a critical problem in the cross-site request forgery protection of Fastify: https://github.com/fastify/csrf-protection/security/advisories/GHSA-rc4q-9m69-gqp8. This fix took a few months, and I had to fork the csrf module too. The same problem affected all CSRF libraries in the Node.js world, however only a few issued CVEs for them. Snyk explains the attack in great detail:

Explaining the csurf vulnerability: CSRF attacks on all versions | Snyk

On September 11th, 2022, Snyk published a vulnerability report for the popular CSRF token management csurf npm package. The vulnerability impacts all known versions, which are currently yielding more than 400,000 downloads per week.

snyk.io

What could be an edge against competitors? Building your own tool vs buying one from a vendor. In the following story from Wise, they explain how they built the first cloud-base card processing system.

How Wise built the world’s first cloud-based card processing

Tapping our debit or credit card has become so commonplace for everyday spending that we often don’t think twice about it. But what happens to make the card machine go beep? Let’s break it down — as there are more than a few steps involved. …

medium.com

SQLite for the win

At Platformatic we are huge fans of SQLite. In the next two articles, we recap what is status of the SQLite project and provide a glimpse of its future, and how could we use it as a distributed database.

SQLite: Past, Present, and Future

SQLite is the most widely deployed database engine (or likely even software of any type) in existence. It is found in nearly every smartphone (iOS and Android), computer, web browser, television, and automobile.

muratbuffalo.blogspot.com

Introducing LiteFS

Fly.io runs apps close to users around the world, by taking containers and upgrading them to full-fledged virtual machines running on our own hardware around the world. We’re also building an open-source distributed file system for SQLite called LiteFS which is pretty cool too.

fly.io

If you are interested in SQLite, check out Platformatic DB tutorial: you’ll be creating an application to manage Movie Quotes!