Upcoming Node.js security releases and many other Adventures in Nodeland - Issue #82

Hey Folks! As I’m writing this I’m in Ortigia in Sicily waiting for my daughter to wake up. I’m grateful of every moment I can pass with her. Brace yourself for a CRITICAL OpenSSL release - we would need to update all our Node.js installs next week!

OpenSSL November Security Release | Node.js

OpenSSL is releasing a CRITICAL security fix the 1st of November. A Node.js security release will follow thereafter.

nodejs.org

Training

As you know, I’m a Board member of the OpenJS Foundation, the home of Node.js, Eslint, Webpack, and many other projects you know and love. One of the ways we keep our operations running is by providing a neutral home for vendor-neutral training. The Node.js training material for OpenJS was developed by my friend David Mark Clements with help of many others (including me). Are you interested? Head to https://training.linuxfoundation.org/application-development/ and enter the discount code COLLINA15 for 15% off.

Releases

• @fastify/cors v8.1.1 expose named export to make it work with typescript nodenext resolution algorithm.
• @fastify/express v2.1.0 removes a deep-require from within Fastify.
• @fastify/vite v3.0.0 the official vite integration for Fastify! The inevitable v3.0.1 prevents the automatic loading of vite.config.js.
• fastify-cli v5.5.1 adds the debug options to the help.
• @fastify/multipart v7.3.0 adds support for TS nodenext resolution algorithm.
• @fastify/swagger v8.1.0 adds support for server relative and templated URLs and renders the syntax of different content types responses.
• async-cache-dedupe v1.5.0 allows the ttl parameter to be a function.
• hapi-pino v11.0.1 removes old types.
• @fastify/nextjs v9.2.0 adds support for Next.js v13!
• @fastify/request-context v4.1.0 adds support for defaultStoreValue to be a function.
• undici v5.12.0 improves fetch WPT test compatibility; undici.fetch() now pass 84% of WPT tests for fetch. It also fixes a tough bug on that could lead to unexpected errors - closing the socket is now interpreted as a “message complete” case. It also adds authentication support to ProxyAgent, and it updates llhttp to v8.1.0.

Articles I found interesting

Do you like css-in-js? It’s a wildly popular approach - and yet teams are starting to switch back to using CSS.

What is the 103 Early Hints status code? They can speed up the loading of your website - they are the successor of HTTP/2 push! Did you know that Node.js had support for early hints https://nodejs.org/api/http.html#responsewriteearlyhintshints-callback? In fact, you might not even need Node.js to leverage this as Cloudflare could do this for you, automatically.

Do you think CoPilot is breaking the Open Source licenses of our software? In any case, check out this investigation: there might be some news coming out of this topic sooner rather than later.

At Next.js Conf last week, Vercel announced Turbopack - their successor of Webpack. You should check it out ;).