Skip to main content
All Posts By

OpenJS Foundation

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed: https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh.

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!

Thank you! DigitalOcean Supports OpenJS Foundation with Open Source Credits

By Blog

Thank you to our friends at DigitalOcean for supporting the OpenJS Foundation with their hosting services! DigitalOcean supports developer and entrepreneurial communities, and they have been supporting OpenJS-hosted projects jQuery and Node.js by granting monthly credits to expand the reach of these critical open source projects. 

“DigitalOcean has consistently shown a level of support for open source that goes above and beyond,” said Robin Ginn, Executive Director, OpenJS Foundation. “We depend on DigitalOcean for some key parts of our infrastructure that allow us to support and promote the JavaScript ecosystem. It makes a difference, and it is very much appreciated.”

“As a way to support open source projects that incorporate values that we believe in and advocate for, DigitalOcean is happy to offer these grants of credits to help with development, infrastructure, and testing needs. We strongly believe in giving back to valued open source ecosystems like the OpenJS Foundation,” said Megan Wood, Chief Strategy Officer at DigitalOcean. “We are focused on helping communities scale and continue to make open source ecosystems stronger than ever, we are very proud to support.”

From all of us at the OpenJS Foundation, we look forward to continuing to build the JavaScript ecosystem together!

Get Node.js Certified with the Newest Version!

By Blog, Certification, Node.js

The OpenJS Node.js certification exams have been updated with new content today to reflect the latest current, long-term support (LTS) version of Node.js 18. The certification is ideal for the upper-intermediate Node.js developers looking to establish their credibility and value in their career.

To sign up now to take the certification exams, see https://openjsf.org/certification/ 

The Node Application Developer testing content broadly covers competence with Node.js to create applications of any kind, with a focus on knowledge of Node.js core API’s while the Node Services Developer testing content covers creating and connecting HTTP services and along with web security practices. Many participants have talked about how the classes have helped both their confidence and their resume.

The exams have been updated based on an evaluation of all recent additions to Node.js core APIs, the evolution of the Node.js ecosystem, and continual tracking of industry standards. As a result, candidates will see a few exam questions have been either removed or added within relevant topic areas without increasing exam duration.

To help prepare for the Node.js Certification exams, the Linux Foundation offers training courses for both the Applications and Services exams. The training courses were authored by David Mark Clements, a principal architect, public speaker, author of the Node Cookbook, and open source creator specializing in Node.js and browser JavaScript, currently working with Holepunch on keet.io.

These exams are evergreen and soon after Node.js updates its LTS version line, the certifications are updated to stay in lockstep with that LTS version. 

To see what’s new in Node.js 18, see “Node.js 18 Released With Improved Security, Fetch API, and Next-10 Strategic Initiatives” 

The OpenJS Node.js Certification program was developed over time with community input, and launched two years ago in partnership with NearForm and NodeSource. 

Discounts from 10% – 50% are available for all the OpenJS Node.js training and certifications for members of the OpenJS Foundation and supporters of its JavaScriptLandia program. Corporate subscriptions are also available for full access to the Linux Foundation Training and Certification programs. 

Sign up now for training or certification exams! https://openjsf.org/certification/

Node.js 19 is now available!

By Announcement, Blog, Node.js

The release of Node.js 19 is now available! Node.js 19 replaces Node.js 18 as our current release line, with Node.js 18 being promoted to long-term support (LTS) next week.

What do these two releases mean? Node.js 19 is ready for early feature testing, and Node.js 18 LTS will be fully ready for production deployments starting next week, October 25.

Rafael Gonzaga from Nearform and Ruy Adorno from Google have been working as the release leads for this version.

“With over 1,150 commits since the last release, Node.js continues to improve along a broad spectrum of functionality. Improvements in connectivity, performance and throughput are important parts of Node.js 19. We’ve been working hard on making Node.js more secure and performant, and I believe we are getting better and better. If you’re in active deployment, Node.js 18 LTS is for you. If you’re interested in getting access to features early, Node.js 19 is ready,” said Rafael Gonzaga, Node.js Core Member. “Many thanks to our open source contributors for making Node.js better and better.”

What’s exciting about Node.js 19 is that you can expect new releases approximately every two weeks, always keeping you up to date with the latest features and changes. Since this is an odd-numbered release line, Node.js 19 will not be promoted to LTS. You can read more about our release policy at https://github.com/nodejs/release.

The increased frequency of Node.js releases means that cool features are now being added over time, yet Node.js 19 includes several updates.

“Node.js releases are fundamentally a team effort, and, more broadly, a community effort. Node.js 19 and Node.js 18 LTS are great examples of this with input and code from a wide range of developers,” said Ruy Adorno, Node.js Release Working Group Chair and Senior Software Developer, Google. “Try out Node.js yourself, and if you have contributions, we are very interested in working with you.”

Main updates for Node.js 19

  • HTTP(S)/1.1 KeepAlive by now set by default
  • Custom ESM Resolution Adjustments
  • Dropped support for DTrace/SystemTap/ETW
  • Updated V8 JavaScript engine to 10.7
  • llhttp 8.1.0

HTTP(S)/1.1 KeepAlive by default

Node.js now sets keepAlive to true by default. Outgoing HTTP or HTTPs connections will automatically use HTTP 1.1 Keep-Alive. It could be set this way before but specific parameters needed to be set. Now it’s by default. This means better performance and throughput by default.

Custom ESM Resolution Adjustments

Node.js has removed the –experimental-specifier-resolution flag. Its functionality can now be achieved via custom loaders. 

Dropped support for DTrace/SystemTap/ETW

DTrace can be used to get a global overview of a running system, such as the amount of memory, CPU time, filesystem and network resources used by the active processes. It can be an important tool, but keeping it up-to-date is complex, and it was decided we don’t have personnel to properly support it. If you are interested in helping to bring DTrace back, an issue has been opened here: github.com/nodejs/node/issues/44550

Updated V8 JavaScript engine to 10.7

The V8 engine is what powers Node.js. It parses and runs your JavaScript inside a Node environment. Node.js follows updates to the V8 JavaScript engine closely. 

This version includes a new feature to the JavaScript API: `Intl.NumberFormat`. `Intl.NumberFormat` v3 API is a new TC39 ECMA402 stage 3 proposal extending the pre-existing Intl.NumberFormat.

llhttp 8.1.0

This project is a port of http_parser to TypeScript. It is used to generate the output C source file, which can be compiled and linked with an embedder’s program like Node.js. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. The Node.js team is regularly improving llhttp with new API features and new callbacks.

Try it out today

To download Node.js v19.0.0, visit: https://nodejs.org/en/download/current/.  Check out the release post at https://nodejs.org/en/blog/release/v19.0.0, which contains the list of commits included in this release. The team would love to hear your feedback! 

“Thank you to Rafael and Ruy for taking on this release, and thank you to our community – your feedback is so important for the iteration of Node.js,” said Senior Software Engineer at Red Hat, Node.js TSC Member, and prior major release steward, Bethany Griggs. “As a long time maintainer of Node.js, hearing from the community allows us to push these releases more efficiently.”

Testing your applications and modules with Node.js 19  helps to ensure the future compatibility of your project with the latest Node.js changes and features.

For the timeline of Node.js releases, check out the Node.js Release Schedule.

“We look forward to what the community will build with the release of Node.js 19,” said OpenJS Foundation Executive Director Robin Ginn. “With each release, the team is quickly working to ensure developers are always up to date and able to test out new features.”

Thank you

We’d like to thank all of the Node.js collaborators and contributors, as this release and upcoming ones are a direct result of their efforts!