Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Node.js v7 Beta Brings Canary in a Gold Mine

Node.js v7 Beta Brings Canary in a Gold Mine

The Node.js Foundation have released the v7 beta for Node.js, with a focus on stability and the latest version of V8.

Node's beta release coincides with v6 becoming the project's second LTS release, where its life will continue under Active LTS and Maintenance until April 2019.

Rod Vagg, chairperson for the Node.js Technical Steering Committee, said the key focus for v7 was "to make sure modules in the ecosystem are keeping up with Node Core."

The project's core technical steering committee is using a technology called Canary in the Gold Mine (citgm) to pull down modules from npm and test if they will break when Node.js updates its versioning, giving the release team a greater understand of what will break before they release new versions

Myles Borins, member of the Node.js project core technical and collaborators committee, told InfoQ that Citgm is currently testing 70 modules from the ecosystem, selected initially based on npm statistics including most installed, and most depended on.

Borins said:

Citgm grabs the source code of a named module, it runs `npm install` and `npm test` and then reports the results. It has a logger with various verbosity levels, and a variety of reporters that can be used. The results can be published in TAP or jUnit, which are great if you are running in CI and want to use tools that consume TAP. Citgm can also report in Markdown if you are publishing the results to GitHub.

If you want to run all the test suites for all modules found in a lookup table then use citgm-all. It will automate the running of all tests and give itemized results at the end. It mostly has all the same options as citgm, aside from being able to install a module from a specific SHA.

Node.js's beta of v.7 is noteable for being the first beta release since the io.js/Node.js merger that has been produced by the Node.js project, with a series of betas expected to be released up to the official v7 release, to help ensure semver major changes will not need to be reverted.

Node.js v7 will also the first time that it has been released with an up-to-date version of the V8 JavaScript Engine. According to the V8 blog, 5.4 "delivers a number of key improvements in memory footprint and startup speed," with peak memory consumption of on-heap memory reduced by up to 40%.

Borins says Node.js v7 is a checkpoint release for the project, and will focus on stability and updating to the latest versions of V8, libuv, and ICU.

The Node.js foundation has also announced security updates for all of its active release lines, reporting a list of vulnerabilities affecting Node.js. Among these is  CVE-2016-6304: OCSP Status Request extension unbounded memory growth, considered to be a flaw of high severity.

CVE-2016-6304 potentially allows a malicious client to exhaust a server's memory, resulting in a DoS by sending very large OCSP Status Request extensions in a single session. Node.js servers using TLS are vulnerable.

Node.js v8 is slated for release in April 2017, with the team looking at language compatibility, adopting modern web standards, growth internally for VM neutrality and API development, and support for growing Node.js use cases.

Node.js v5 reached the end of its natural life after two months in Maintenance mode in June 2016. Node.js v6 will become the second LTS release for Node.js in October, with the release of V7.

Rate this Article