What is Open Source BTW?

Hi folks,

It's been a couple of weeks since the last email, and this is packed with updates. It includes two talks that I published on YouTube, links to the ongoing debate on open-source licensing, a brief explanation of the recent Node.js security release, many releases, and quite a few interesting articles.

Talks

How to speed up your Node.js API by 5x

I recorded a short video on how we made Platformatic DB routes up to 5x faster... by de-duplicating concurrent queries. The "trick is to use the async-cache-dedupe module to deduplicate the request to the database. In our implementation, we increased the req/s of Platformatic DB by 5x, while reducing the latency to 1/3. Amazing? You can implement it too!

The first time we met was in 2012

In 2012, this tiny community group, "WEBdeBS" ran the first conference ever on Node.js. I was there in the room, watching great speakers present a future in technology that was so innovative that blew my mind. No one would have thought that the bumblebee could fly, but now Node.js is installed on every developer machine - yours too! In this talk, we are going to go through the story of Node.js, what were the key moments in Node.js history, and what's the state of the project today. We will also cover all the key features we shipped between 2012 and now, and why developing Node.js applications in 2023 can be so much better!

What is Open Source BTW?

According to the Open Source Initiative, the Open Source Definition is available at https://opensource.org/osd/. However, not everyone agrees.

There is an ongoing debate on tech startups in how to monetize Open Source, which is often implemented via relicensing:

• Terraform
• ElasticSearch
• MongoDB

Which all successfully (?) transitioned from an Open Source license to a Source-Available one, essentially prohibiting somebody from competing against them on the cloud by offering similar services. Something to keep in mind is to choose projects with licenses that forbid retroactive relicensing.

This debate has been spilling over AI/LLMs and Frontend frameworks too.

I think Foundations are a good place to ensure "shared" ownership of Open Source projects so that projects can survive their original inventors. This is why Node.js, Electron, Eslint, Webpack, Fastify, and many other projects are housed in the OpenJS Foundation. Saying it in another term, when asked why an author should consider moving a project to a Foundation, I tend to reply:

A Foundation protects the project users from you.

Not everybody agrees on this take, read Matthew Phillips' take.

Handling 398 million rps and Node.js Security Release

Last week, CloudFlare and Google released details on a large scale DoS attack that they received in August... by using a "feature" of HTTP/2:

• Google mitigated the largest DDoS attack to date, peaking above 398 million rps
• HTTP/2 Rapid Reset: deconstructing the record-breaking attack

While the technical aspects of this attack are fascinating, we had to ship our "fall" security release a few weeks earlier than planned to address this HTTP/2 scenario, this includes:

• undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (High) - CVE-2023-45143
• nghttp2 - HTTP/2 Rapid Reset (High) - CVE-2023-44487
• Permission model improperly protects against path traversal (High) - (CVE-2023-39331)
• Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)
• Integrity checks according to policies can be circumvented (Medium) - (CVE-2023-38552)
• Code injection via WebAssembly export names (Low) - (CVE-2023-39333)

Releases

• async-cache-dedupe v2.0.0 updates dependencies, drop node < 18
• mercurius-cache v6.0.0 update dependencies and tests - drop node 16 and redis 5
• @fastify/passport v2.4.0 avoids multiple calls to regenerate().
• @fastify/error v3.4.0 adds support for .cause.
• @fastify/oauth2 v7.5.0 improves out-of-the-box types by using a prefix when decorating.
• on-exit-leak-free v2.1.2 do not initialize FinalizationRegistry if not required.
• thread-stream v2.4.1 do not use FinalizationRegistry with NODE_V8_COVERAGE.
• mqtt-packet v8.2.1 fixes IUnsubackPacket type definition.
• sonic-boom v3.5.0 .write(Buffer) support, call fsync on close. v3.6.0 adds a callback to flush(). v3.6.1 fixes a memory leak when calling flush before the stream was ready.
• @fastify/jwt v7.2.2 fixes local sign options overwrites global sign options.
• sonic-boom v3.7.0 makes stream.flushSync call fs.fsyncSync.
• find-my-way v7.7.0 adds findRoute and hasRoute methods.
• pino v8.15.4 adds auto completion for level property; v8.15.5 v8.15.6 fixes a flaky test in CITGM, v8.16.0 adds a callback to flush().
• climem v2.0.0 updates dependencies and support worker_threads.
• fastify v4.24.0 adds support for Symbol.asyncDispose, increase perf for routes with params, fixes a warning for accessing the context property, fixes the HEAD route search.
• undici v5.26.0 adds support for --max-http-header-size Node.js flag and fixes multiple bugs with HTTP/2 and NODE_V8_COVERAGE. v5.26.1 fixes up Node.js detection.
• fastify-undici-dispatcher v0.5.0 adds support for @fastify/express.
• @fastify/swagger-ui bumps swagger-ui-dist to v5.9.0;v1.10.1 fixes the ability to use a custom logo.
• @fastify/swagger v8.11.0 supports for webhooks option according to Open Api 3.1.0; v8.12.0 generates path params definition when missing.

Articles

• Spendesk Adopts Platformatic to Enhance Backend Development Efficiency
• Making Self-signed Certificates Work
• Thread-per-core - Without boats, dreams dry up
• Speeding up the JavaScript ecosystem - The barrel file debacle
• Write your own Zod
• Speeding up the JavaScript ecosystem - The barrel file debacle