BT

Node.js 10.0 and npm 6 Released with Emphasis on Security

| by Kevin Ball Follow 3 Followers on Apr 26, 2018. Estimated reading time: 3 minutes |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

On April 24 the Node.js project released version 10.0.0 of Node.js and npm Inc released version 6.0 of npm, the JavaScript package manager. Both releases emphasized security improvements, with Node.js 10.0.0 updating to OpenSSL version 1.1.0, and npm including new security-focused features such as the automatic alerting of insecure dependencies. The Node.js release also included a new native programming API and stable HTTP2 support.

According to the official release blog post, "Node.js 10.x focuses mainly on incremental improvements", but this is the first Node version to update to version 1.1.0 of OpenSSL. When this version of OpenSSL was released, it was hailed by cryptographers such as Kenn White of Open Crypto Audit, who said in a tweet:

OpenSSL 1.1.0 is a major refactor: IPv6, EVP, Bignum, core structs, state machine, negotiation. Adds CCM, OCB, ChaCha/Poly, scrypt, BLAKE2.

Judging from the release history on Wikipedia, version 1.1.0 is the first OpenSSL release to break binary compatibility since 1.0 was released in 2010, and upgrading to the new ABI (Application Binary Interface) will allow Node.js to seamlessly adopt further updates, including upcoming TLS 1.3 support scheduled to be released in OpenSSL 1.1.1 in May.

The Node.js release also includes the first non-experimental version of the Node.js API (N-API). According to the release post:

N-API is a stable module API that is independent from changes in V8 allowing modules to run against newer versions of Node.js without recompilation.

This new API is intended not only to make modules that include native (non-JavaScript) code more robust to upgrades in versions of V8, but also to allow the inclusions of alternative JavaScript engines beyond V8. In the blog post that initially announced N-API, Arunush Chandra of Microsoft and Michael Dawson of IBM estimated that dependency on native APIs impacted 30% of packages via direct or indirect dependencies, resulting in a large barrier to upgrading Node.js versions. Said Chandra and Dawson:

The next generation, ABI-stable Node.js API for native modules or N-API aims to solve this problem, by providing an ABI-stable abstraction layer for native APIs in JavaScript VMs. This will allow native module authors to compile their module once per platform and architecture and make it available for any version of Node.js that implements N-API. This holds true even for versions of Node.js that are built with a different VM e.g. Node-ChakraCore.

This version of Node.js also turns on http2 support as a stable part of Node.js core, upgraded from being an experimental feature in the version 8 series. Out of the box support is built into popular server frameworks Hapi and Koa, with some configuration still required for Express. Developers looking to get started with any of these tools can check out a quick tutorial on the Rising Stack blog.

This release is the first in the 10.x release line, which will become the new active Long Term Service (LTS) release line in October 2018. LTS versions are typically guaranteed support for three years, with this release scheduled to have support until April 2021. However, according to the Node.js release schedule, the last LTS version (8.x) is scheduled to expire early (December 2019) to align with the End-Of-Life of OpenSSL 1.0.2.

The new version of Node.js also includes improvements in error handling, diagnostics, and performance. Interested developers can see the full release notes on the Node.js blog, and download the release on the Node.js project home page.

In coordination with the Node.js version 10 release, npm published an announcement about its own new major release, version 6.0. The new npm version 6.0 is available for previous Node.js versions as well as the new Node.js 10.0.0, with the announcement emphasizing security improvements as the primary reasons to upgrade:

Soon, every user of the npm Registry will begin receiving automatic warnings if you try to use code with a known security issue. npm will automatically review install requests against the NSP database and return a warning if the code contains a vulnerability.

In addition, a new command in npm@6, `npm audit`, will soon allow you to recursively analyze your dependency trees to identify specifically what’s insecure — so you can swap in a new version or find a safer alternate dependency.

Developers can update to the latest version of npm by running npm i -g npm@latest.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT