Node.js 10.0.0, What to expect as a Backend developer/Security enthusiast?

Recently Node.js Project released 10.0.0 and which is the 7th major release and will be LTS(Long term support) in October 2018 and will be supported for 3 years.Note: Node.js project usually do two major release in an year, one in April and other in October

OK! This is fine but what are the new feature and are they worth looking at? let’s find out !

Error Handling Improvements

Before Node v10.0.0 the only way to match errors in catch clauses was to check for the error message which made difficult to analyse, debug.

For Node Version≤10.0.0

About 300 commits were (check here) made on this and now we have error codes to ease constant error-checking which was just a error message previously.

For Node Version≥10.0.0

Performance Improvements (async generator, async iteration inbuilt promise execution and array performance improvements**)**

reduce/map/filter huge performance boots

Use of V8 v6.6 have huge performance boosts, function like reduce, map, filter has become 10 times faster.promises. All of these serve as a small but significant — and permanent — performance boost for applications built using Node.js.

Experimental Promisfied Versions of the ‘fs’ Functions

Introduction of util.promisify to wrap functions which provide a callback API but this is an experimental feature, may be in October release, functions of the fs return promises directly.

HTTP and HTTP/2 Improvements

HTTP/2 protocol supports TCP multiplexing, which means that TCP handshakes have to be handled only once and the server can reuse an already existing connection to send the response of multiple requests through the same connection.

It also supports server push, so when the browser requests an HTML file, you can send along the necessary JavaScript scripts and CSS stylesheets before the page is loaded and parsed. The browser realizes that it will need more round trips to requests all the necessary information to properly render the site. Below is the sample example to use HTTP2

But browsers only support HTTP/2 over SSL so some kind of edge proxy is required, like for Nginx in production.

Cryptographic Support and Security Imporvements

Supports for the OpenSSL 1.1.0 security toolkit is added in 10.0.0 which is the latest version of the open source cryptography and toolkit for Transport Layer Security and Secure Sockets Layer (TLS/SSL) protocols. Cryptographic support for ChaCha20 cipher and Poly1305 authenticator is also added. In October they are planing to expand the options available for using “AEAD” cipher suites, the current gold-standard for encrypted communication on the web and add more comprehensive cryptographic library.

Side note: The npm v.6.0 release line is concerned with security. This was spurred in part by a survey showing that 97 percent of JavaScript developers worldwide rely on open source code at least in part for their projects, and that 77 percent of those are concerned about the security of doing so. To better document — and fix — module vulnerabilities and potential dependency conflicts, npm moved to acquire the Node Security Platform, the definitive source of known JS package vulnerabilities.

In fact, npm v.6 contains a new shortcut specifically to address this: npm-audit allows users to recursively analyze dependency trees to identify potential conflicts and insecurities. A proactive step allowing devs to swap out for updated or better-fit versions before anything breaks, “npm audit” totally rocks.

JavaScript language improvements

There are lot of language improvements some of them are :

1. Catch clause of the try statements no longer calls for a parameter
2. Function.prototype.toString(), which now returns exact slices of source code text, and mitigations for side-channel vulnerabilities to prevent information leaks.
3. V8 “introduces”: String.prototype.trimEnd(), String.prototype.trimStart()

Improved diagnostics trace events (Super time saver) ⏲

Debugging the code in 10.0.0 is super duper easy, now we have trace events that create a manual tracing to a category and when enabled pass the diagnostic code to a file which can be read by google chrome dev-tools. No more cli to be used for creating traces for code, now we have javascript API that helps enabling/disabling trace events dynamically.

Full support for N-API

Wait ! but what is N-API ?

Its an API for building native Addons in Node.js. It is independent from the underlying JavaScript runtime (ex V8) and is maintained as part of Node.js itself. This API will be Application Binary Interface (ABI) stable across versions of Node.js.

The N-API provides an abstraction surface over the V8 APIs so changes in those can be handled in a higher level layer, resulting in a more stable surface that native addon developers can use. So far it was an experimental feature, but it has been promoted to stable in Node v10, i think its the time to start using it 😺

Take away

1. Stable module API, one that is not influenced by the changes in Node.js’s V8 JavaScript engine
2. API layer makes upgrading a whole lot easier, streamlining production deployments and ease the maintenance

The Experimental Node-ChakraCore 🚀

Node.js originally ran only on Chrome’s V8, but lately it’s implementation on Microsoft’s ChakraCore which is under development will open the door for VM diversity. By using the N-API, it is easier to create bindings for different VMs, so porting Node.js to other runtimes will be a lot easier. It will especially be useful for IoT developers.

If you are new to Node.js or looking for a starter kit with everything in place to start writing your logic, use : https://github.com/dg92/node-express-postgres-redis-starter-kit

I am happy to receive any feedback may be positive or negative.

THANK YOU!

If you like this article, please recommend and share to help others find it!