View profile

The March OpenSSL vulnerability and other Adventures in Nodeland - Issue #52

Matteo Collina
Matteo Collina
Hi Folks, welcome to another edition of Adventures in Nodeland! I’m so excited I will be traveling again soon to London for CityJS - if you are in London, come and say hi! This week we cover two security issues, a few releases, and some interesting libraries. Wait for next edition with some photos of the conference!

We shipped new releases of Node.js with the updated OpenSSL that fixes CVE-2022-0778, that might cause an infinite loop (and a Denial of Service) in certain conditions.
OpenSSL security releases require Node.js security releases | Node.js
I’ve also done a new release of Undici that fixes a few bugs and improves on the mock system. Check it out:
The Fastify ecosystem got a bunch of plugin releases: fastify-session, fastify-reply-from and fastify-static. The first one we talk about is @fastify/session, that ships a new feature to have a custom session id generatoe:
Release v6.5.0 · fastify/session · GitHub
We shipped a a new feature in fastify-reply-from, which is the “http-proxy” module of Fastify, the ability to completely remove the body.
Release v6.6.0 · fastify/fastify-reply-from · GitHub
We shipped a new release of fastify-static that fixes precompressed index and serve the directory without trailing slash.
Release v4.6.0 · fastify/fastify-static · GitHub
fastify-static v4.6.1 actually fixed the support of precompressed index (because bugs).
Release v4.6.1 · fastify/fastify-static · GitHub
During the release cycle for the Node.js security releases, a few flaky tests where identified: pino tests are run before every Node.js release as part of CITGM - Pino v7.9.0 address those issues and add the level number to the mixin callback.
Release v7.9.0 · pinojs/pino · GitHub
pino-pretty v7.5.4 changed how we build sonic boom, making sure the asynchronous stream is flushed before exit.
Release v7.5.4 · pinojs/pino-pretty · GitHub
Unfortunately pino-pretty v7.5.4 broke some tests in pino where we mocked some of the pino pretty internals… leading to pino v7.9.1 (to fix CITGM) again.
Release v7.9.1 · pinojs/pino · GitHub
My quest to fix the flaky tests is still rampant because we still have trouble in getting a green CI run on first try in Github Actions as well as CITGM:
Other Libraries
Release v7.7.1 · mcollina/autocannon · GitHub
Release v7.7.2 · mcollina/autocannon · GitHub
Interesting Libraries
How do CloudFlare workers parse HTML? They use lol-html!
GitHub - cloudflare/lol-html: Low output latency streaming HTML parser/rewriter with CSS selector-based API
How can you rewrite HTML in Node.js? You can use lol-html too with html-rewriter-wasm. What will you build with it?
html-rewriter-wasm - npm
Would you like to have a website with blazing fast loading speed on secondo load? User cache-forever assets:
Cache-Forever Assets
Here is a good reminder on how to contributed to projects with Git:
CloudFlare is eating the cloud from the outside in, launching their first API Gateway:
Announcing the Cloudflare API Gateway
Supply chain attacks are incredibly powerful because one tiny dependency could wreck hundreds of thousands of developers in the span of hours. This is what happened on March 15th:
Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine | Snyk
Did you enjoy this issue? Yes No
Matteo Collina
Matteo Collina @matteocollina

I write about my journey as a core contributor of Node.js, as an author and a maintainer of many modules - including Fastify and Pino. In addition, I speak at conferences, and I will add links to all my talks in case you missed one.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.