Release week just passed.. check out new Fastify, Mercurius and many more modules in Adventures in Nodeland - Issue #39

Hi Everyone! I’ve missed an edition because I took a week off at the beginning of December - I was exhausted, this has been a tough year. In case you wonder, I have been to Rome and Florence!

We are back with our regular schedule and I hope to keep up with the newsletter over the holidays as well. As usual, let me know what you think

Being off for a week often means that no releases are shipped. I learned the wrong way to always release when you have time to fix your mess. So.. a lot of projects I maintain shipped something new last week. Check them out.

Fastify

The first release I’m going to talk about is Fastify! We are working hard to improve our documentation, so we shuffled a lot files around and fixed all the broken links in the process. Thanks to a couple of phenomenal contributors helped.

You can browse the new documentation at:

Mercurius

I also released a new version of Mercurius, my take on “how to write a GraphQL server with Mercurius. This new releases sports a couple of new options and a regression fix. Check it out:

The most important announcement 📣 of Mercurius is a security advisor due to a bug 🐛 introduced in v8.10.0. This bug caused your application to crash if an invalid JSON was sent as a body to a GraphQL route. It was fixed in v8.11.2. Check it out

Next week I plan to release v9 of Mercurius sporting GraphQL v16 and a change of default protocol for subscriptions. More on that next week!

Undici

This new release of Undici significantly improves our fetch() implementation, solving several bugs and improving its performance. We are getting closer to call it “stable!”.

I have spent quite some time investigating a potential memory leak in Undici. I think the issue is a good example of performing this kind of analysis… even if I concluded that there is no leak.

Here is also a commentary of the actual problem I faced at the end.

Pino

I did not release or did much work on pino. However there were a few PR waiting to be landed and released. The release of pino-pretty includes quite a few updates that introduce new features and fix a few bugs. Check it out:

For all of you that do not know Hapi - it’s an web framework for Node.js that is very stable and preferred by several companies around the globe. hapi-pino registers to the logging mechanism of Hapi. This releases moves pino-pretty to devDependencies and it implements a new feature.

Last week I worked with my colleague Rafael to fix a significant regression on pino-http. Here is the result of our analysis and fix:

25% throughput improvement by mcollina · Pull Request #196 · pinojs/pino-http · GitHub

Improve the throughput of express by 25% with this simple change.

github.com

News

One of the most important news of this week is that Express shipped a new release after two years 🍾. I’m happy that Doug is still active and I hope for more.

The second most notable news from the last two weeks is a forced enrollment in 2FA for major publishers on the npm platform. This is a great news for everybody as it would make everybody significantly safer:

I was featured in the annual report from the Linux Foundation! Check it out:

If you haven’t heard about the Log4j vulnerability and you are running a product using Log4j you are probably in trouble now. If you are mostly running Node.js… you might want to read up about it!

Log4Shell vulnerability disclosed: Prevent Log4j RCE by updating to version 2.15.0 | Snyk

Today (Dec.10, 2021), a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228, categorized as Critical with a CVSS score of 10 (the highest score possible).

snyk.io

Would you check in your npm dependencies in your Git repo? Read about this valuable opinion and how you would need to change your workflow to adopt this:

The Log4j vulnerability have spawn an incredible amount of really interesting content about Open Source sustainability. The following article has a somewhat new take: professionalizing the role of the Open Source maintainer.

Professional maintainers: a wake-up call

I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies.

blog.filippo.io

My friend Myles then follow up with a take on similar lines: you are getting some value from your OSS contributions.

Is single-threaded faster than multi-threaded? Read up on this long explanation on how Redis could potentially be made much faster, using a share-nothing architecture with threads dedicated for a partition of key space:

What is TLS fingerprinting? It’s a technique that can be used to detect which runtime (with version) you are using by looking at the algorithms that it advertise supporting. How can you defeat it in Node.js? Read up:

Fighting TLS fingerprinting with Node.js

The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that’s sufficiently unique to recognize you and infer details about your network client and device.

httptoolkit.tech

ARM CPUs are taking over the world. From smartphones, to laptops to servers they are both more performant and energy savvy. Read up this story on how CloudFlare could deliver 57% more performance per watt spent.

Designing Edge Servers with Arm CPUs to Deliver 57% More Performance Per Watt

Cloudflare has millions of free customers. Not only is it something we’re incredibly proud of in the context of helping to build a better Internet — but it’s something that has made the Cloudflare service measurably better.

blog.cloudflare.com

Would you like to speak at NodeCongress? The Call for Papers is open!