Why Node permissions are experimental for now
#492 — June 27, 2023
The June 20 Node.js Security Releases — As we suggested last week, the Node.js 16.x, 18.x, and 20.x lines all got updates in the form of v20.3.1 (Current), v18.16.1 (LTS), and v16.20.1 (LTS). The vulnerabilities are explained in the post and are primarily related to OpenSSL or the use of the experimental permissions feature behind the –experimental-permission flag. (This is why it’s an experimental feature, while initial weaknesses are discovered and fixed.)
A Day in the Life of an Ethical Hacker — Ethical hackers proactively identify security weaknesses before they can be exploited by malicious actors. Learn practical steps for getting started with ethical hacking, from reconnaissance and vulnerability exploitation to responsible disclosure.
A Look at TypeScript 5.2’s New Keyword: using — using brings something akin to Python’s with context management into TypeScript with a way to automatically run a function when an object leaves scope. You could use it to shut down a database connection, close file handles, etc.
SAFER ACTIONS: GitHub has a new tool to secure your GitHub Actions. It monitors your workflows and recommends the minimum permissions they really need to run.
NESTJS v10: We mentioned the release of NestJS v10 last week, but somehow missed the official NestJS v10 release post that goes into more detail of what’s new in the popular server-side Node framework.
11TY NEWS: Zach Leatherman, the creator of the Eleventy (11ty) static site generator, says that due to the conclusion of Netlify’s (appreciated) sponsorship of the project, Eleventy will be returning to ‘side project’ status. If you’re a user, there’s a community survey to help guide what Zach does next.
A Look at the Architecture of an Early Stage SaaS — Feelback is a hosted feedback collection app and their team explains their app’s architecture in detail. Their API is built on Node, hosted on Fly, with a React SPA up front.
An Intro to Command Injection Vulnerabilities — Think SQL injection but with commands. If your app, or even one of its dependencies, constructs commands from user/third party input and runs them locally, there’s potential for trouble.
How to Create a Multi-Region Node.js Lambda API — …using Serverless Framework and pairing it with a serverless multi-region CockroachDB database.
Paul Scanlon (Cockroach Labs)
Using PlanetScale with Serverless Framework Node Apps on AWS
Matthieu Napoli (PlanetScale)
🛠 Code & Tools
Nightwatch.js 3.0: End-to-End Web Testing Framework — v3 includes some new selectors, features a revamped experience, lets you test Angular components in isolation, adds test double support for unit tests, and more. GitHub repo.
☕️ Along similar lines, TestCafé 3.0 has also been released. It takes a more direct approach than Nightwatch’s Selenium-derived WebDriver API approach, and v3.0 has added support for directly driving Chromium-based browsers over the Chrome DevTools Protocol.
Shiki: A Syntax Highlighter Using VS Code Themes — Supports over 100 languages and you can specify a VS Code theme in the settings to get the look you want. Works in both Node.js and even on static sites (via a CDN build) and you can see some examples here.
Save $1 Off Your Next Domain Name Registration at Porkbun.com — Create your next project on a domain from Porkbun.com. The best prices, services, and support of any domain registrar!
google-spreadsheet 4.0: Interact with Google Sheets — Sheets is Google’s cloud-based spreadsheet app and it has an API so you can work with documents from your own code.
DerbyJS 2.1: Mature MVC Web Framework — It’s never been the most popular option, but at 12 years old, Derby has lived through most of Node’s history and remains an option for building realtime, collaborative apps. GitHub repo.
Nate Smith et al.
↳ Redis-based distributed queue for Node.
↳ Batteries-included GitHub SDK.
↳ ORM that maps SQL query results to objects.
↳ Get / set desktop wallpaper cross-platform.
Find Tech Jobs with Hired — Hired makes job hunting easy-instead of chasing recruiters, companies approach you with salary details up front. Create a free profile now.