Save up to 65% off for Cyber Week on Node.js training and certification. Offer available until December 5.
This month, learn more about security best practices, the threat model and recent Node.js releases.
The OpenJS Node.js certification exams have been updated with new content today to reflect the latest current, long-term support (LTS) version of Node.js 18. The certification is ideal for the upper-intermediate Node.js developers looking to establish their credibility and value in their career.
To sign up now to take the certification exams, see https://openjsf.org/certification/
The Node Application Developer testing content broadly covers competence with Node.js to create applications of any kind, with a focus on knowledge of Node.js core API’s while the Node Services Developer testing content covers creating and connecting HTTP services and along with web security practices. Many participants have talked about how the classes have helped both their confidence and their resume.
The exams have been updated based on an evaluation of all recent additions to Node.js core APIs, the evolution of the Node.js ecosystem, and continual tracking of industry standards. As a result, candidates will see a few exam questions have been either removed or added within relevant topic areas without increasing exam duration.
To help prepare for the Node.js Certification exams, the Linux Foundation offers training courses for both the Applications and Services exams. The training courses were authored by David Mark Clements, a principal architect, public speaker, author of the Node Cookbook, and open source creator specializing in Node.js and browser JavaScript, currently working with Holepunch on keet.io.
These exams are evergreen and soon after Node.js updates its LTS version line, the certifications are updated to stay in lockstep with that LTS version.
To see what’s new in Node.js 18, see “Node.js 18 Released With Improved Security, Fetch API, and Next-10 Strategic Initiatives”
The OpenJS Node.js Certification program was developed over time with community input, and launched two years ago in partnership with NearForm and NodeSource.
Discounts from 10% – 50% are available for all the OpenJS Node.js training and certifications for members of the OpenJS Foundation and supporters of its JavaScriptLandia program. Corporate subscriptions are also available for full access to the Linux Foundation Training and Certification programs.
Sign up now for training or certification exams! https://openjsf.org/certification/
By: Robin Ginn, Executive Director, OpenJS Foundation and Brian Behlendorf, General Manager, OpenSSF
Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.
This is the second funded project coming from the OpenSSF to the OpenJS Foundation, the neutral home for JavaScript and the web. Earlier this year OpenSSF selected Node.js as its initial project, committing $300,000 to focus on improving supply chain security.
OpenJS, working with the jQuery maintainers and industry experts, will undertake three core initiatives under this grant: an ecosystem risk audit, an expansion of its infrastructure modernization project, and a web modernization campaign.
“There’s a lot of work to be done to help secure the consumer web,” said Michael Scovetta, Alpha-Omega co-lead and Principal Security PM Manager at Microsoft. “We believe partnering with the vendor-neutral OpenJS Foundation is a great way to communicate out broadly to developers and to work with technology partners to reduce potential security incidents for jQuery. This is a wide ranging effort that is by no means simple.”
jQuery Core is still actively maintained, and the maintainers have taken steps to consolidate and modernize its infrastructure with support from the OpenJS Foundation including migrating and improving its CDN. jQuery is still used by 77% of the world’s top 10 million websites, but one-third of those sites are still using 15-year-old legacy jQuery 1.x when they should be using a much more current version.
As part of its modernization initiative, OpenJS Foundation has also helped jQuery with two projects under the jQuery umbrella through a careful transition: jQuery UI and jQuery Mobile. However, there is much work to be done to fully understand and mitigate potential risks.
“The use of ubiquitous technologies like jQuery is invisible to most, however potential problems could affect millions of websites. And, there’s no one-size-fits-all solution. This is exactly the type of project that the OpenSSF is looking to support, and we are excited to be working on our second project with the OpenJS Foundation, helping to advance open source security for all,” said Michael Winser, Alpha-Omega co-lead and Group Product Manager for Software Supply Chain Security and CI/CD at Google. “We are pleased to be committing to this project with the OpenJS Foundation and jQuery.”
The OpenJS Foundation and OpenSSF are looking forward to working closely together to help developers around the globe improve their open source security readiness!
If you’re interested in finding out how you can help, please contact the OpenJS Foundation via https://openjsf.org/collaboration/.
The release of Node.js 19 is now available! Node.js 19 replaces Node.js 18 as our current release line, with Node.js 18 being promoted to long-term support (LTS) next week.
What do these two releases mean? Node.js 19 is ready for early feature testing, and Node.js 18 LTS will be fully ready for production deployments starting next week, October 25.
Rafael Gonzaga from Nearform and Ruy Adorno from Google have been working as the release leads for this version.
“With over 1,150 commits since the last release, Node.js continues to improve along a broad spectrum of functionality. Improvements in connectivity, performance and throughput are important parts of Node.js 19. We’ve been working hard on making Node.js more secure and performant, and I believe we are getting better and better. If you’re in active deployment, Node.js 18 LTS is for you. If you’re interested in getting access to features early, Node.js 19 is ready,” said Rafael Gonzaga, Node.js Core Member. “Many thanks to our open source contributors for making Node.js better and better.”
What’s exciting about Node.js 19 is that you can expect new releases approximately every two weeks, always keeping you up to date with the latest features and changes. Since this is an odd-numbered release line, Node.js 19 will not be promoted to LTS. You can read more about our release policy at https://github.com/nodejs/release.
The increased frequency of Node.js releases means that cool features are now being added over time, yet Node.js 19 includes several updates.
“Node.js releases are fundamentally a team effort, and, more broadly, a community effort. Node.js 19 and Node.js 18 LTS are great examples of this with input and code from a wide range of developers,” said Ruy Adorno, Node.js Release Working Group Chair and Senior Software Developer, Google. “Try out Node.js yourself, and if you have contributions, we are very interested in working with you.”
Main updates for Node.js 19
- HTTP(S)/1.1 KeepAlive by now set by default
- Custom ESM Resolution Adjustments
- Dropped support for DTrace/SystemTap/ETW
- Updated V8 JavaScript engine to 10.7
- llhttp 8.1.0
HTTP(S)/1.1 KeepAlive by default
Node.js now sets keepAlive to true by default. Outgoing HTTP or HTTPs connections will automatically use HTTP 1.1 Keep-Alive. It could be set this way before but specific parameters needed to be set. Now it’s by default. This means better performance and throughput by default.
Custom ESM Resolution Adjustments
Node.js has removed the –experimental-specifier-resolution flag. Its functionality can now be achieved via custom loaders.
Dropped support for DTrace/SystemTap/ETW
DTrace can be used to get a global overview of a running system, such as the amount of memory, CPU time, filesystem and network resources used by the active processes. It can be an important tool, but keeping it up-to-date is complex, and it was decided we don’t have personnel to properly support it. If you are interested in helping to bring DTrace back, an issue has been opened here: github.com/nodejs/node/issues/44550.
Updated V8 JavaScript engine to 10.7
The V8 engine is what powers Node.js. It parses and runs your JavaScript inside a Node environment. Node.js follows updates to the V8 JavaScript engine closely.
This version includes a new feature to the JavaScript API: `Intl.NumberFormat`. `Intl.NumberFormat` v3 API is a new TC39 ECMA402 stage 3 proposal extending the pre-existing Intl.NumberFormat.
llhttp 8.1.0
This project is a port of http_parser to TypeScript. It is used to generate the output C source file, which can be compiled and linked with an embedder’s program like Node.js. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. The Node.js team is regularly improving llhttp with new API features and new callbacks.
Try it out today
To download Node.js v19.0.0, visit: https://nodejs.org/en/download/current/. Check out the release post at https://nodejs.org/en/blog/release/v19.0.0, which contains the list of commits included in this release. The team would love to hear your feedback!
“Thank you to Rafael and Ruy for taking on this release, and thank you to our community – your feedback is so important for the iteration of Node.js,” said Senior Software Engineer at Red Hat, Node.js TSC Member, and prior major release steward, Bethany Griggs. “As a long time maintainer of Node.js, hearing from the community allows us to push these releases more efficiently.”
Testing your applications and modules with Node.js 19 helps to ensure the future compatibility of your project with the latest Node.js changes and features.
For the timeline of Node.js releases, check out the Node.js Release Schedule.
“We look forward to what the community will build with the release of Node.js 19,” said OpenJS Foundation Executive Director Robin Ginn. “With each release, the team is quickly working to ensure developers are always up to date and able to test out new features.”
Thank you
We’d like to thank all of the Node.js collaborators and contributors, as this release and upcoming ones are a direct result of their efforts!
There was good progress in September aimed at improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. The grant helped the team cover an extra 4 reports from HackerOne, helped with 3 security releases, and made important new changes to security processes. And, we attended the OpenJS Collab Summit and got more feedback directly from Node.js members.
6 Fixed Vulnerabilities and 1 Security Release
There were 2 Security Working Group and 2 Release Working Group meetings in September. Based on 4 CVEs from HackerOne, there were 4 releases of Node in the past month, and much of the focus of our security work was here. There were also 3 security releases of Node.js in the following release lines:
Improving Security Processes
The Node.js team proposed and implemented 2 major changes in the mechanism for fixing CVEs. Since it’s possible that patches can create a new vulnerability, we looked for ways to better communicate back to the original reporter to close the loop. The first change is that we share a diff back to the reporter. This is a visual confirmation of the process. A second change whenever a security report is fixed, the binary will be built and sent to the reporter. We fix a problem, compile it locally, test it, create a binary, and send it (when applicable) to the original reporter through the HackerOne thread.
OpenJS Collab Summit (Oct 1-2, 2022, Dublin, Ireland)
The Collaborators Summit brings maintainers and contributors together to discuss Node.js. Committees and working groups come together twice per year to make important decisions. In Dublin, there was lots of engagement, and we were able to hear some concerns about including security more explicitly in planning for the future. We were very pleased with the interactions.
Pictures from Collab Summit, thanks to Tony Gorez
Sustainability Takeaways from Grace Hopper
Through my role at the OpenJS Foundation, I get to personally experience the progress in building inclusive open source communities. There are so many lovely humans working on JavaScript projects here!
There also has been a lot of progress in teaching a new generation of women how to code using open source software (OSS), which I got to experience meeting some of the 15k attendees at the AnitaB Grace Hopper Celebration (GHC) conference last week, including several young women who were jazzed about Node.js, RISC-V, Hyperledger Cactus, PyTorch, Linux, and more.
At the same time, we’ve reached an inclusion quandary. We’ve taught a new generation how to build with open source, but we haven’t done enough to facilitate their participation in open source communities that are ready to welcome new contributors.
Next is Now
“Next is now” was the theme of the Grace Hopper Celebration. I’m inspired to do more now to merge our inclusive communities with the smart, passionate and ambitious women and nonbinary developers I met last week. Imagine the impact this would have on the health and sustainability of open source projects!
I had many interesting conversations with GHC attendees, from students to professionals to computer science professors. In addition to a knowledge gap on open source governance, there was a sense of intimidation and awkwardness about the idea of participation in an open source project.
“Nope, you don’t show up with a hundred lines of code solving an unknown problem.” That’s an easy answer. However, I realized that I didn’t have all the answers on how to get started.
Grace Hopper Open Source Day
The Grace Hopper Open Source Day (OSD) virtual pre-event, plus the open source sessions in-person, was a great opportunity for leaders among open source communities to share practical skills for attendees.
The Open Source Day brought together our Node.js maintainers and industry mentors in an all-day hackathon. We were thrilled that the Node.js project was selected as a featured project at the GHC OSD, and loved having about 75 women of those hacking away with Node.js project Collaborators and industry mentors. This resulted in 27 pull requests (PRs) – woot!
A big shout out to the Node.js Technical Steering Committee leaders who organized and led the hackathon, Danielle Adams, Franziska Hinkelmann, and Rich Trott, and our OpenJS Board Director Paula Paul who brought in mentors and facilitated the event.
If you were not able to attend the Hackathon, we encourage you to still get involved with Node.js and start contributing! More information can be found on GitHub.
Our hope is the AnitaB organization will make GHC OSD 2023 freely available to all who want to participate virtually.
Moving Forward
More than ever, we need to create a bridge for new maintainers of varying identities and backgrounds and encourage them to get involved where they can. I encourage all of our JavaScript maintainers and contributors to be a mentor to others, and invite them to join in on the great technologies that our community builds. A diverse community is a strong community, and I hope you’ll join us.
If you haven’t done so already, please get to know us on our OpenJS Foundation Slack channel. Your open invitation is at https://slack-invite.openjsf.org, plus check out more ways to get involved at https://openjsf.org/collaboration/.
For more details on our involvement in this year’s Grace Hopper Celebration, check out the Linux Foundation blog.
Reginé Gilbert, Industry Assistant Professor at NYU, presented on Creating Inclusive and Accessible Experiences at OpenJS World 2022 this past June. As Reginé stated, “we are responsible for creating worlds of experiences and systems that impact millions of people – with lasting impacts.”
The presentation began with Reginé sharing the importance of inclusion and accessibility in today’s world. She then followed by listing the five key elements of accessibility culture and then gave an overview of the importance of each element. Reginé shared various social media accessibility practices and provided an example of social media accessibility features being used along with common accessibility issues. From this, Reginé concludes with a variety of action items for the audience to practice in their own work to move from awareness to action.
Full keynote available here: https://www.youtube.com/watch?v=n7NPlTPE4mI
Main Sections:
0:00 Introduction
0:29 Inclusion
1:26 Accessibility
4:39 Culture
6:05 Social Media accessibility practices
13:53 Common accessibility issues
16:29 Things to consider when creating experiences
19:51 Moving from awareness to action
21:16 Closing
Main OpenJS Resources:
Main Site: https://openjsf.org/
Blog: https://openjsf.org/blog/
Join: https://openjsf.org/about/join/
Certification: https://openjsf.org/certification/
Twitter: https://twitter.com/openjsf
LinkedIn: https://www.linkedin.com/company/openjs-foundation/
Last month, we announced that we added 2 new Silver Directors to our OpenJS Foundation board, as well as a new CPC Director. Today, we’re excited to share that Sarajane Whitfield has joined our board as a Platinum Director and Vice Chairperson.
A little more about Sarajane:
Sarajane is an attorney program manager on Google’s Open Source Compliance & Policy Advisement Team. She is an advocate for developing user-friendly policies and procedures to make open source compliance more straightforward and manageable. Before Google, Sarajane was a corporate and transactional attorney working closely with early stage tech startups in the New England area, and was previously in operations and product management at medical device and health tech startups in Nashville, TN. She’s a self-taught coder, competitive sailor, and avid baker.
Welcome Sarajane! We look forward to the contributions you will bring to the OpenJS Foundation.