Platformatic Deploy, CVEs for fastify modules, npm provenance and other Adventures in Nodeland
Hi Folks,
Almost two weeks have passed since the last update. Things are hectic at Platformatic between conferences, new features, and bug fixing. This edition links everything we released in the last two weeks, including two essential security updates for @fastify/csrf-protection and @fastify/passport.
Platformatic
In the last two weeks, we have published much Platformatic content.
We have introduced the new platformatic deploy command.
We have published a new guide on how to integrate Platformatic with Auth0 and Next.js, building a secure frontend with a secure backend.
We have released our interviews:
* Luca's interview
* my interview
Last but not least, here is an article explaining why we are building Platformatic: "The Business case for extensible APIs".
Security fixes for @fastify/passport and @fastify/csrf-protection
Pedro Adão (@pedromigueladao) (Instituto Superior Técnico, University of Lisbon) and Marco Squarcina (@lavish) (Security & Privacy Research Unit, TU Wien) performed an analysis of session handling on Fastify, and they reported three vulnerabilities that led to the following releases:
- @fastify/csrf-protection v6.3.0 and v4.1.0 fix a vulnerability (CVE-2023-27495) for Fastify v4.x and v3.x that can lead to a bypass of the CSRF protection in the case of predictable userInfo more details at GHSA-qrgf-9gpc-vrxw.
@fastify/passportv2.3.0 and v1.1.0 fix two vulnerabilities: - (CVE-2023-29020) - the CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers. More details at GHSA-2ccf-ffrj-m4qw. - (CVE-2023-29019) - Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. More details at GHSA-4m3m-ppvx-xgw9.
Releases
- fastify v4.16.0 implements support for passing custom text resolution for starting log line; adds a
preClosehook; many updates to docs and types. v4.17.0 fixes a regression introduced in v4.16.0 and adds a few missing error codes. - @fastify/fast-json-stringify-compiler v4.3.0 updates the fast-json-stringify dependency to v5.7.0.
- @fastify/websocket v8.0.0 refactor the shutdown logic not to leak any listener on the server after the server is closed.
- mercurius v13.0.0
- @mercuriujs/federation v2.0.0 updates to mercurius v13.0.0
- @fastify/session v10.3.0 makes the typings stricter.
Articles
- GitHub has finally unveiled support for the npm package provenance. If we combine it with the fine grained access tokens, we can now build an automated release pipeline on top of GitHub actions (and soon other vendors). Check it out.
- Read the story on how the Vite team made Vite 4.3 faaaaster.
- Is it possible to make Prisma cold start on serverless faster? Apparently, the answer is yes.
- Have you ever wondered how to How to Create Custom Apple Wallet Passes with React Native and Fastify.
- A few people have asked me why I prefer writing things in JavaScript rather than TypeScript. According to recent benchmarks, using TypeScript can slow you down 2x.
- This is a must-have article on software optimizations and how to write fast software. "The effort needed to optimize code grows exponentially. In other words, to multiply the performance by N, you need to 2N optimizations." - https://lemire.me/blog/2023/04/27/hotspot-performance-engineering-fails/
Upcoming Events
If you would like to meet me in person, you will find me at these upcoming events:
- Open Source Summit / OpenJS World / OpenJS Collaborators' Summit - Vancouver, Canada - 9-12th of May
- JSNation - Amsterdam, Netherlands - 1st of June
- GraphQL Conf - San Francisco, California, USA - 19-22nd of September