Skip to main content
Tag

Node.js

May 24
Love0

Node.js Security Progress Report – Automation, Automation and more Automation

By Blog, Node.js, Node.js Security

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies. 

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: https://github.com/nodejs/security-wg/issues/828. We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project. 

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process. 

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. 

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features. 

JavaScriptLandia Awards: Pathfinder for Security 

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform. 

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency. 

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

Jan 18
Love0

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed: https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh.

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!

Oct 25
Love1

OpenJS World 2021 Keynote Recap: Node.js: The New and the Experimental

By Blog, Node.js

Bethany Griggs, Node.js Technical Steering Committee member, and Senior Software Engineer at Red Hat, describes in detail how new and experimental features are added to the Node.js project.

Griggs starts the talk with an introduction to Node.js, a highly decentralized open-source project, with no forward roadmap and a heavy activity flow in multiple directions. New features are added to the project based on the interests and requirements of the contributors. She introduces the Working Groups and Teams focused on different areas of the project and the Strategic Initiatives which help smooth operations of the project.

Next, Griggs discusses the project delivery schedule for Node.js. There are two major releases per year with even number releases being promoted to Long-Term Support (LTS). She mentions that each release has three defined release phases. During the Current phase, the release line picks up the non-major changes that land on the Node.js main branch. The Active phase incorporates only the new features, fixes, and updates that have been audited and approved by the LTS team. Only critical bug fixes are part of the Maintenance phase and new features are rarely added in this phase.

In the second half, Griggs introduces a Stability Index, ranging from 0 to 3, which allows users to decide on features to use in their applications. She discusses each index in detail with examples for each of these APIs.

Griggs explains that Stability Index 0 indicates a Deprecated API which may be removed in the future versions of Node.js. An API is first Documentation Deprecated and then elevated to a Run-time Deprecation. Stability Index 3 is for Legacy APIs, which are discouraged from being used in new applications. She assures users that Legacy APIs will not be removed by the project, so applications using these APIs will not be affected.

Experimental APIs have a Stability Index of 1 and may change even in the long-term support phase. She warns that users must use them cautiously in production workloads. She further explains that experimental APIs are ones that do not have an agreed-upon design and are later modified based on user feedback. Stability Index 2 is reserved for Stable APIs for which Semantic Versioning applies and compatibility is a priority. Experimental features only get promoted to stable when the main contributors have confidence in the API and no major changes are likely. She then introduces some new stable features of the project.

In her concluding remarks, Griggs encourages users to look at and provide feedback on the experimental features of the project, which helps the project in speeding up the process of promoting experimental features to stable features. She also warns against the use of experimental APIs in critical applications.

Full Video Here

Broken down by section:

Panel Introduction 0:00

Overview 0:48

Introduction to OpenJS Foundation 1:09

Node.js 1:42

What’s next? 3:07

Working Groups and Teams 4:10

Strategic Initiatives 5:06

Releases 7:26

Deprecated APIs 12:14

Legacy APIs 15:12

Experimental APIs 16:47

Stable APIs 25:31

Conclusion 28:26

May 14
Love3

Node.js Update: Renaming N-API to Node-API

By Blog, Node.js

This post was contributed by the Node-API team and was initially published on the Node.js Medium Blog. Node.js is a hosted project of the OpenJS Foundation.

The reason for this blog post is to explain what motivated us to rename N-API to Node-API. The issue that is tracking the transition was: https://github.com/nodejs/abi-stable-node/issues/420

Background
You may have noticed N-API changed to Node-API in the documentation within the Node.js project. N-API has always stood for Node-API but was often pronounced NAPI. A concern was raised, that when pronounced that way, it could be mistaken for a derogatory term. We therefore made it our goal to clarify that N-API is Node-API whenever possible without introducing breaking changes.

What’s changing (only in more recent versions):

  • References: Documentation, blog posts, and similar will now refer to “Node-API”.
  • Folders: Internally referenced folders (eg. test folders) have been renamed from n-api to node-api.
  • Badges hosted on Node repositories: Existing badges’ image contents have been updated to “Node-API” without changing their URLs.
  • New symbols: Additions to Node-API and related projects will now have a different prefix, eg. node_api_get_module_file_name.
  • Types, macros, and defines: Externally-facing API names, such as features guards, will now start with NODE_API_ instead of NAPI_
  • New node arguments: Node-API configuration via node command line arguments, eg.- -force-node-api-uncaught-exceptions-policy, will refer to the new name.

What’s not changing:

  • Old symbols: Existing symbols (eg. napi_create_reference) will remain the same. This ensures ABI stability, such that a previously compiled add-on will continue to load in newer Node versions.
  • Types, macros and defines: Names like napi_status, NAPI_MODULE, the Napi namespace (in node-addon-api) will remain the same. This ensures existing code can be recompiled with no changes.

We believe that we’ve made this change in a way that addresses the issue while limiting the impact to users of Node-API and hope this post helps you understand the approach and what to look out for. As always if you have any questions/concerns please open an issue in https://github.com/nodejs/abi-stable-node or https://github.com/nodejs/node-addon-api.

May 07
Love8

Node.js Mentorship New Mentee Opening

By Blog, Node.js, Uncategorized

This post was written by the Node.js Mentorship Initiative and was first published on Node.js Medium Account.

The Node.js Mentorship Initiative is excited to announce a new opening. We are looking to add a new mentee to our initiative. We, therefore, invite developers who are passionate about the Node.js ecosystem and are willing to learn and contribute towards its growth and development to apply to this opportunity.

The Mentorship initiative prides itself in identifying specific needs of Working Groups and Initiatives within Node.js and posts applications for available opportunities.

Over the past year, we have helped the Examples Initiative and the N-API working group to recruit new mentees, which is in line with our objective of helping to bring more and more contributors into the Node.js ecosystem, and eventually the broader OpenJS ecosystem.

We’re looking for someone with a decent knowledge of GitHub, good technical and communication skills, as the responsibilities of a mentee will include routine repo maintenance, communication with other initiatives to gather feedback, and the design of technical challenges to be completed by applicants.

This is a great opportunity to make a meaningful impact on Node.js while learning from industry leaders and world-class software engineers. Please apply here by May 13th, 2021. We look forward to receiving your application.

Apr 23
Love4

Project News: Node.js v 16 Available

By Announcement, Blog, Node.js, Project Update

The Node.js Project, a hosted project of the OpenJS Foundation, has announced the release of Node.js v 16. Highlights include the update of the V8 JavaScript engine to 9.0, prebuilt Apple Silicon binaries, and additional stable APIs.

You can download the latest release from https://nodejs.org/en/download/current/, or use Node Version Manager on UNIX to install with nvm install 16. The Node.js blog post containing the changelog is available at https://nodejs.org/en/blog/release/v16.0.0.

Initially, Node.js v 16 will replace Node.js 15 as our ‘Current’ release line. As per the release schedule, Node.js 16 will be the ‘Current’ release for the next 6 months and then promoted to Long-term Support (LTS) in October 2021. Once promoted to long-term support the release will be designated the codename ‘Gallium’.

As a reminder — Node.js 12 will remain in long-term support until April 2022, and Node.js 14 will remain in long-term support until April 2023. Node.js 10 will go End-of-Life at the end of this month (April 2021). More details on our release plan/schedule can be found in the Node.js Release Working Group repository.

A new major release is a sum of the efforts of all of the project contributors and Node.js collaborators! Congrats to all who made it possible!

Read the full blog with all the details on the Node.js blog.

Mar 29
Love3

Node.js Certifications and Training Sale

By Announcement, Blog, Node.js

Node.js Certifications and Training Sale + New Preview of Testing Environment

Training and certifications are some of the most valuable investments we can make in ourselves, to both sharpen our skills, but also to show prospective employers, and the world, that you have what it takes as a developer. Now is a great time to invest in yourself, or in your engineering team. Starting March 29 through April 9, the OpenJS Foundation, in partnership with the Linux Foundation, will be discounting all Node.js Certification and Training. 

Node.js logo

Limited offer: check out the new preview testing environment
Today, in partnership with the LF,  we are rolling out a free Node.js Environment Preview beta exam, which focuses on our Node.js certifications, the OpenJS Node.js Application Developer (JSNAD) and OpenJS Node.js Services Developer (JSNSD). 

One of the most frequent requests we receive is to preview what the certification exam experience is like before actually sitting for an exam. Whether you get tripped up from text anxiety or low bandwidth, running through this Node.js Environment Preview will make you more familiar with the look and feel of the certification exam experience. This way you will know what to expect so you can focus on your Node.js knowledge.

This Node.js Environment Preview beta is available for a limited time — we have 4,000 free coupons to give away. Try it out and see how you performed on this self-graded environment preview. And don’t pass up this big sale.

Full sale details

Discounts include 

What’s included with certifications?

  • 12 month exam eligibility    
  • Free exam retake
  • Digital badge and PDF certificate upon passing

What’s included in online trainings?

  • Hands-on labs & assignments
  • Video content
  • 12 months of access to online courses
  • Discussion forums
  • Digital badge and PDF certificate upon completion

Node.js Certifications

Certifications are excellent ways to validate your own development skills to yourself, employers, and the world. 

The OpenJS Node.js Application Developer certification is ideal for the Node.js developer with at least two years of experience working with Node.js. For more information and how to enroll: https://training.linuxfoundation.org/certification/jsnad/

The OpenJS Node.js Services Developer certification is for the Node.js developer with at least two years of experience creating RESTful servers and services with Node.js. For more information and how to enroll: https://training.linuxfoundation.org/certification/jsnsd/

Node.js Trainings

Feel confident in taking your exams with the Node.js Training courses. These courses help prepare developers for the Node.js certification exams. 

This course provides core skills for effectively harnessing a broad range of Node.js capabilities at depth, equipping you with rigorous skills and knowledge to build any kind of Node.js application or library. While by design the training content covers everything but HTTP and web frameworks, the crucial fundamentals presented prepares the student to work with web applications along with all types of Node.js applications.

This course provides a deep dive into Node core HTTP clients and servers, web servers, RESTful services and web security essentials. With a major focus on Node.js services and security, this content is an essential counterpart to the Node.js Application Development (LFW211) course, and will prepare you for the OpenJS Node.js Services Developer (JSNSD) exam.

If this sounds like something you’d like to know more about, check out more information at this link

Close Menu