February 21, 2023

Security Releases in the Node.js ecosystem, fastify-astro, and other Adventures in Nodeland!

Hi folks,

Last week has been incredibly busy with all the security updates as well as new content, and a new Platformatic release. As usual, let me know what you think!

Videos

Last Monday, I paired with Matthew Phillips of the Astro team to build together fastify-astro. We got almost all the features of the development mode working! Check out the video; there are quite a few tricks that you can use in your code too!

LiveStream 2023-02-13 - Building fastify-astro with Matthew Phillips - YouTube

This week I’m joined by Matthew Phillips to build fastify-astro, a direct integration between Fastify and the Astro project.In this session we have made good…

Last Thursday, we started cleaning up the Unscalable Queue System codebase, and we also fixed a bug in Platformatic.

We have opened the following pull requests together: - https://github.com/platformatic/platformatic/pull/692 - https://github.com/platformatic/unscalable-queue-system/pull/24 - https://github.com/platformatic/unscalable-queue-system/pull/23

You can watch the full video at: https://youtu.be/cAyzpu309Po.

@fastify/multipart security release

I’ve released @fastify/multipart v7.4.1 and v6.0.1, respectively, for Fastify v4.x and v3.x. They contain the fix for a Denial of Service attack based on crashing the server using an unlimited amount of very tiny parts. You can find the advisory at GHSA-hpp2-2cr5-pf6g.

v7.4.1:
https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1 v6.0.1: https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1

Node.js Security Releases

The security releases for Node.js v19.x, 18.x, v16.x and v14.x are all out, read more at: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/. Here is a summary of the vulnerabilities:

• Node.js Permissions policies can be bypassed via process.mainModule (High) (CVE-2023-23918).
• Node.js OpenSSL error handling issues in nodejs crypto library (Medium) (CVE-2023-23919).
• Fetch API in Node.js did not protect against CRLF injection in host headers (Medium) (CVE-2023-23936).
• Regular Expression Denial of Service in Headers in Node.js fetch API(Low) (CVE-2023-24807).
• Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) (CVE-2023-23920).

Doing security releases is exceptionally hard. I want to thank Micheal Dawson for being the security steward, and Richard Lau, Rafael Gonzaga, Juna José, Bradley Farias, Rich Trott, Robert Nagi to work on the fixes and releases itself.

undici v5.19.1 security release

Two of the fixes in the latest Node.js security release are Undici fixes, as they are part of the WHATWG fetch() standard and bundled in from Node.js. Therefore we had to issue a security release for Undici, go update! Here you can find the release notes for v5.19.1. But there was a problem.

A few days earlier, I shipped Undici v5.19.0. Given that this release did not get the massive amount of testing undici release gets, it shipped with two regressions:

• 
  

  

  
  

  “cookies is not iterable” error thrown when trying to iterate over a fetch response that contains a Set-Cookie header · Issue #46704 · nodejs/node · GitHub

  Version 18.14.1 Platform Darwin dtinth-m1.local 22.1.0 Darwin Kernel Version 22.1.0: Sun Oct 9 20:14:30 PDT 2022; root:xnu-8792.41.9~2/RELEASE_ARM64_T8103 arm64 Subsystem undici What steps will rep…

• 
  

  

  
  

  18.14.1 release altered fetch timeout defaults from 300s to 30s · Issue #46706 · nodejs/node · GitHub

  Version v18.14.1 Platform Linux Subsystem undici What steps will reproduce the bug? Make a request using the fetch API that takes longer than 30 seconds. Using the defaults it will fail, in my case…

• 
  

  

  
  

  Headers iterator throws when the response contains a Set-Cookie · Issue #1935 · nodejs/undici · GitHub

  Bug Description #1915 introduced a bug on Headers iterator, which now throws an error when the response contains a Set-Cookie header. (Also, getSetCookie() returns an empty array for me) Reproducib…

These have been fixed in v5.20.0, which will be released as part of Node v19.7.0 and v18.14.2.

Releases

• platformatic v0.15.0 has multiple bug fixes and two new features!
• @fastify/url-data v5.3.0 replace uri-js with fast-uri; v5.3.1 uses X-Forwarded-Host when trustProxy is set on fastify instance.
• @mercuriusjs/federation v1.0.1 updates to mercurius v12.
• light-my-request v5.9.0 adds a fake origin header. v5.9.1 reverts it, because I was wrong, and it broke things.
• mercurius v12.1.0 includes subscription id in the onSubscriptionEnd hook.
• @mercuriusjs/gateway v1.2.0 fix the service map generation and the correct closing of subscriptions.
• @fastify/swagger-ui makes it possible to passthrough functions to the swagger-initializer.js file.
• pino-pretty v9.3.0 doesn’t print escape backslash on strings containing escaped backslashes anymore.
• @fastify/reply-from v8.4.3 doesn’t change headers of original request.

Articles

• Web Push for Web Apps on iOS and iPadOS - Finally iOS gets support for Web Push! This means that installed web applications on Apple devices will soon be able to receive push notifications.
• The case for frameworks - in this article, @seldo, argues that frameworks are a needed tradeoff between developer time and customers. Check it out, it offers a very interesting economic take in the developer experience market.
• ChatGPT Is Not a Blurry JPEG of the Web. It’s a Simulacrum.. In this article, @domenic brings a different point of view on what GPT is bringing to society.
• core-js is one of the most controversial projects in the npm ecosystem to its maintainer, and this time, he is asking for more funds.
• Don’t Call It A Platform - in this article, Sam Newman argues that we should design our platforms for developer habitability. Read up.