Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Node.js 10.0 and npm 6 Released with Emphasis on Security

Node.js 10.0 and npm 6 Released with Emphasis on Security

On April 24 the Node.js project released version 10.0.0 of Node.js and npm Inc released version 6.0 of npm, the JavaScript package manager. Both releases emphasized security improvements, with Node.js 10.0.0 updating to OpenSSL version 1.1.0, and npm including new security-focused features such as the automatic alerting of insecure dependencies. The Node.js release also included a new native programming API and stable HTTP2 support.

According to the official release blog post, "Node.js 10.x focuses mainly on incremental improvements", but this is the first Node version to update to version 1.1.0 of OpenSSL. When this version of OpenSSL was released, it was hailed by cryptographers such as Kenn White of Open Crypto Audit, who said in a tweet:

OpenSSL 1.1.0 is a major refactor: IPv6, EVP, Bignum, core structs, state machine, negotiation. Adds CCM, OCB, ChaCha/Poly, scrypt, BLAKE2.

Judging from the release history on Wikipedia, version 1.1.0 is the first OpenSSL release to break binary compatibility since 1.0 was released in 2010, and upgrading to the new ABI (Application Binary Interface) will allow Node.js to seamlessly adopt further updates, including upcoming TLS 1.3 support scheduled to be released in OpenSSL 1.1.1 in May.

The Node.js release also includes the first non-experimental version of the Node.js API (N-API). According to the release post:

N-API is a stable module API that is independent from changes in V8 allowing modules to run against newer versions of Node.js without recompilation.

This new API is intended not only to make modules that include native (non-JavaScript) code more robust to upgrades in versions of V8, but also to allow the inclusions of alternative JavaScript engines beyond V8. In the blog post that initially announced N-API, Arunush Chandra of Microsoft and Michael Dawson of IBM estimated that dependency on native APIs impacted 30% of packages via direct or indirect dependencies, resulting in a large barrier to upgrading Node.js versions. Said Chandra and Dawson:

The next generation, ABI-stable Node.js API for native modules or N-API aims to solve this problem, by providing an ABI-stable abstraction layer for native APIs in JavaScript VMs. This will allow native module authors to compile their module once per platform and architecture and make it available for any version of Node.js that implements N-API. This holds true even for versions of Node.js that are built with a different VM e.g. Node-ChakraCore.

This version of Node.js also turns on http2 support as a stable part of Node.js core, upgraded from being an experimental feature in the version 8 series. Out of the box support is built into popular server frameworks Hapi and Koa, with some configuration still required for Express. Developers looking to get started with any of these tools can check out a quick tutorial on the Rising Stack blog.

This release is the first in the 10.x release line, which will become the new active Long Term Service (LTS) release line in October 2018. LTS versions are typically guaranteed support for three years, with this release scheduled to have support until April 2021. However, according to the Node.js release schedule, the last LTS version (8.x) is scheduled to expire early (December 2019) to align with the End-Of-Life of OpenSSL 1.0.2.

The new version of Node.js also includes improvements in error handling, diagnostics, and performance. Interested developers can see the full release notes on the Node.js blog, and download the release on the Node.js project home page.

In coordination with the Node.js version 10 release, npm published an announcement about its own new major release, version 6.0. The new npm version 6.0 is available for previous Node.js versions as well as the new Node.js 10.0.0, with the announcement emphasizing security improvements as the primary reasons to upgrade:

Soon, every user of the npm Registry will begin receiving automatic warnings if you try to use code with a known security issue. npm will automatically review install requests against the NSP database and return a warning if the code contains a vulnerability.

In addition, a new command in npm@6, `npm audit`, will soon allow you to recursively analyze your dependency trees to identify specifically what’s insecure — so you can swap in a new version or find a safer alternate dependency.

Developers can update to the latest version of npm by running npm i -g npm@latest.

Rate this Article