#265 — November 29, 2018

Read on the Web

Node Weekly

Backdoor Found in Heavily Used npm Package

The biggest Node news this week is that an npm package with almost 2 million downloads every week (event-stream) was the target of an attack (original report here) which meant developers under limited circumstances (users of copay and related libraries) were vulnerable to a security issue aimed at capturing cryptocurrency info.

Relatively few Node developers or apps are affected by the issue directly, but it's provoked much discussion in the community around the stewardship and transfer of modules, so we're linking to some of the key articles today.

The event-stream Vulnerability Explained — A good writeup of what the attack entailed and how it technically worked behind the scenes.

Zach Schneider

event-stream's Creator's Statement — Dominic originally created event-stream for his own benefit and had no reason to doubt the malicious developer who offered to take over maintenance of the library. Here he tells his side of the story and suggests things we need to think about as a community to help in future.

Dominic Tarr

New Course: Introduction to Node.js by Scott Moss ✨ 👀 — Node.js can be used for build tools, desktop apps, mobile apps, databases, and more. Learn the foundations of Node.js so you can go forward and create fantastic JavaScript apps outside the browser.

Frontend Masters sponsor

Node.js November 2018 Security Releases — All active Node release lines have got new releases due to a variety of vulnerabilities from DDoS issues to a Node 6.x vulnerability where the debugger listens on all interfaces by default. The releases are 11.3.0, 10.14.0, 8.14.0 and 6.15.0.

Node.js Foundation

ncc: The Node.js Compiler Collection — Inspired by native compiler toolchains, ncc can output a self-contained script (not an executable, like pkg does) that bundles all its dependencies.


Details About the event-stream Incident from npm, Inc. — As owners of the registry through which npm packages are distributed, npm Inc. has something to say on the event-stream incident (featured above) and recommends you run npm audit to check if your projects use the affected module.

npm Inc.

💻 Jobs

Sr. Fullstack Engineer (Remote) — Sticker Mule is looking for passionate developers to join our remote team. Come help us become the Internet’s best place to shop and work.

Sticker Mule

100+ Node.js and JavaScript Roles on hackajob — Upload your projects from GitHub and we'll do the rest. Find a role based on your skills, average salary £70k.


📘 Tutorials & Opinions

Transpiling and Publishing ES2018 npm Modules with Babel 7 — How to use the latest and greatest JavaScript features but still ensure your packages can be used by as wide an audience as possible.

Sean van Mulligen

Testing HTTP Requests in Node Using Nock — nock, or “network mock”, is a library for mocking HTTP server requests.

Josh Sherman

Automating Excel File Generation using ExcelJS — How to easily generate Microsoft Excel workbooks/spreadsheets using the ExcelJS module.

Jordan Nelson

Writing Memory Efficient Software Applications in Node — See how to optimize your Node.js programs by 90% using automatic back pressuring.

Naren Yellavula

Testing Your API with DreddDredd is a language-agnostic command-line tool for validating a description of an API against the backend implementation.

Milhad Salihi

Using Custom Images to Bring Your Linux Disk Images to DigitalOcean

DigitalOcean sponsor

▶  The Art of Building Node.js Projects at Scale — An IBM engineer tells the tale of building LoopBack 4 using Node and TypeScript.

Raymond Feng (IBM)

Why You Should Isolate Express from the Rest of Your App — Loosely coupling your app logic from the Web side of things could help you with testing, structure, and more.

Corey Cleary

🔧 Code and Tools

progress-estimator: A Progress Bar and Time Estimate for Promises — It tracks previous durations between responses in order to provide more accurate completion time estimates over time.

Brian Vaughn

nodenv: Manage Multiple Node Versions Easily — Specify your app’s Node version once in a single file and it all Just Works™.

Will McKenzie and Sam Stephenson

N|Solid for AWS Lambda: Low-Impact Monitoring for Serverless Node.js Apps — The N|Solid runtime is now available for serverless Node.js apps on AWS Lambda.

NodeSource sponsor

create-yo: Use Any Yeoman Generator with npm init

Christopher Hiller

whitebophir: A Web-Based Collaborative Whiteboard — There’s an open public demo (be warned, people may draw offensive stuff on there).

Ophir Lojkine

yamlful: YAML-Based HTTP Client Code Generation

Jonas Galvez