Node.js 10 innovations in development and security
Node.js 10.0.0 was recently released. This is the seventh major release of the platform. In October 2018, he will receive LTS status for three years. Usually the main releases of Node are released twice a year. One - in April, and the second - in October. The material, the translation of which we are publishing today, gives an overview of the main innovations of Node.js 10.0.0 in terms of server application development and security.
Before Node 10.0.0 was released, the only way to recognize errors in
In total, about 300 commits were made to improve the error handling situation. Due to this, we now have error codes that are more convenient to check than messages. It simplifies the work.
')
Performance improvements include asynchronous generators, built-in asynchronous loops that support work with promises, and improved mechanisms for working with arrays.
Using the Node V8 6.6 engine gave a significant performance boost. So, for example, functions for working with arrays, such as
All these and other improvements contribute to improving the performance of applications built on the Node.js platform.
It was possible to convert functions using callbacks into constructions that support promises even earlier, with the help of
The HTTP / 2 protocol supports TCP multiplexing. This means that the procedure for establishing a TCP connection can be performed only once, after which the server can reuse an existing connection to send responses to various requests.
HTTP / 2, in addition, supports the technology to send data initiated by the server (server push). In particular, this means that when the browser requests the HTML file from the server, the server can, on its own initiative, send the files with the JS code and CSS rules necessary for the correct display of the page to the browser. These resources fall into the browser cache. As a result, when these resources are needed by the browser, it will be able to use them much faster than if it had to, in order to download them, intentionally request them from the server. Here is an example using HTTP / 2.
It should be noted that browsers support HTTP / 2 only via SSL, so here, in production, you need some kind of proxy server, like Nginx.
Node 10.0.0 adds support for the OpenSSL 1.1.0 cryptographic library, which supports TLS / SSL protocols. Thanks to this library, in addition, you can now work with the ChaCha20 stream cipher and the Poly1305 message authentication algorithm. In October, it is planned to expand the set of supported cryptographic technologies. We are talking about the support of AEAD encryption modes, which are used to organize secure messaging, and support for additional cryptographic libraries.
Here it should be noted that with the release of npm 6.0 special attention was paid to security. This was partly due to the results of one study, which showed that 97% of JavaScript developers worldwide rely, at least in some of their developments, on open-source projects. Moreover, 77% of developers are worried about the security of such solutions. In order to better document and fix module vulnerabilities and potential dependency conflicts, npm purchased the Node Security Platform project. This project is the main source of information about vulnerabilities of JS packages.
Npm 6.0 supports a new command to analyze security issues:
Node.js 10.0.0 has some improvements regarding javascript. Here are some of them:
In Node.js 10.0.0, debugging is greatly simplified. In particular, the developer now has a
N-API is an API for developing native extensions for Node.js. This API is independent of the JS engine (for example, V8), it is supported as part of Node.js itself.
The N-API is not tied to the Node release. That is, when the new release of Node is released, extensions written for old releases will not have to be redone. In particular, we are talking about abstraction over API V8, which gives developers of native extensions a stable environment. Until now, the N-API had the status of an experimental technology, however, in Node 10.0.0 it was transferred to the category of stable API.
In general, N-API is useful to developers of native extensions for Node due to the fact that it gives them a fairly stable means for interacting with the platform. At the same time, ideally, thanks to the N-API, developers of native modules may not worry, for example, which JS engine is used in a particular Node installation.
As you know, the Node.js platform was initially supported only by the V8 JS engine, but now, as part of the Node-ChakraCore project , work is underway to support Microsoft’s ChakraCore engine in Node. In general, support for Node alternative JS engines is a good trend, which may be of particular interest to IoT developers.
In Node 10.0.0 a lot of new things have appeared. With the development of this platform becomes more productive, convenient and versatile. At the moment, the current release of Node is Node 10.1.0 , in which some bugs were fixed and some things were improved.
Dear readers! Which features of Node.js 10 seem to you the most interesting?
Error handling improvements
Before Node 10.0.0 was released, the only way to recognize errors in
catch expressions was to check the text of the error message, which complicated problem analysis and application debugging. It looked like this.
try { // - } catch(error) { if(error.message == 'Some error message') { // } else { // } }
In total, about 300 commits were made to improve the error handling situation. Due to this, we now have error codes that are more convenient to check than messages. It simplifies the work.
')
try { // - } catch(error) { if(error.code == 'Some error code') { // } else { // } }
Improved performance
Performance improvements include asynchronous generators, built-in asynchronous loops that support work with promises, and improved mechanisms for working with arrays.
Using the Node V8 6.6 engine gave a significant performance boost. So, for example, functions for working with arrays, such as
reduce , map and filter , are about 10 times faster.
const sum = [1,2,3,4,5,6].reduce((sum, num) => sum+=num,0);
All these and other improvements contribute to improving the performance of applications built on the Node.js platform.
Experimental version of the fs module with promise support
It was possible to convert functions using callbacks into constructions that support promises even earlier, with the help of
utils.promisify . However, if we talk about the use of promises, it is much better if a certain API is initially oriented towards them. Now the fs module supports promises in experimental mode. Full support is expected in the October release of Node.
Improved HTTP and HTTP / 2 support
The HTTP / 2 protocol supports TCP multiplexing. This means that the procedure for establishing a TCP connection can be performed only once, after which the server can reuse an existing connection to send responses to various requests.
HTTP / 2, in addition, supports the technology to send data initiated by the server (server push). In particular, this means that when the browser requests the HTML file from the server, the server can, on its own initiative, send the files with the JS code and CSS rules necessary for the correct display of the page to the browser. These resources fall into the browser cache. As a result, when these resources are needed by the browser, it will be able to use them much faster than if it had to, in order to download them, intentionally request them from the server. Here is an example using HTTP / 2.
const http2 = require('http2') const server = http2.createSecureServer( { cert, key }, onRequest ) function push (stream, filePath) { const { file, headers } = getFile(filePath) const pushHeaders = { [HTTP2_HEADER_PATH]: filePath } stream.pushStream(pushHeaders, (pushStream) => { pushStream.respondWithFD(file, headers) }) } function onRequest (req, res) { // index.html if (reqPath === '/index.html') { push(res.stream, 'bundle1.js') push(res.stream, 'bundle2.js') } // res.stream.respondWithFD(file.fileDescriptor, file.headers) }
It should be noted that browsers support HTTP / 2 only via SSL, so here, in production, you need some kind of proxy server, like Nginx.
Cryptography and Security
Node 10.0.0 adds support for the OpenSSL 1.1.0 cryptographic library, which supports TLS / SSL protocols. Thanks to this library, in addition, you can now work with the ChaCha20 stream cipher and the Poly1305 message authentication algorithm. In October, it is planned to expand the set of supported cryptographic technologies. We are talking about the support of AEAD encryption modes, which are used to organize secure messaging, and support for additional cryptographic libraries.
Here it should be noted that with the release of npm 6.0 special attention was paid to security. This was partly due to the results of one study, which showed that 97% of JavaScript developers worldwide rely, at least in some of their developments, on open-source projects. Moreover, 77% of developers are worried about the security of such solutions. In order to better document and fix module vulnerabilities and potential dependency conflicts, npm purchased the Node Security Platform project. This project is the main source of information about vulnerabilities of JS packages.
Npm 6.0 supports a new command to analyze security issues:
npm audit . It allows users to recursively analyze dependency trees to detect potential conflicts and problem areas. This allows developers to replace obsolete packages with their newer versions in their projects, without waiting for problems to occur, or switch to other packages if those that they use can cause unwanted effects.
Javascript enhancements
Node.js 10.0.0 has some improvements regarding javascript. Here are some of them:
- There is no longer any need to use parameters in the
catchexpression oftry-catch. - The
Function.prototype.toString()command now returns only the text of the source code of the function, which has a beneficial effect on security by preventing information leakage. - In Node, thanks to the new V8, there was support for the methods
String.prototype.trimEnd(),String.prototype.trimStart().
Improved debugging mechanisms
In Node.js 10.0.0, debugging is greatly simplified. In particular, the developer now has a
trace_events module, which allows centrally, from the code (that is, for this you no longer need to access the command line), manage the trace information coming from various sources, in particular, from the V8 engine, from the kernel node and from custom code. This data can be written to a file, they are understood by the Google Chrome developer tools. This is how the new API works.
const t_events = require('trace_events') const tracing = t_events.createTracing({ categories: ['async.hooks', 'v8'] }) tracing.enable() // - tracing.disable()
Full N-API support
N-API is an API for developing native extensions for Node.js. This API is independent of the JS engine (for example, V8), it is supported as part of Node.js itself.
The N-API is not tied to the Node release. That is, when the new release of Node is released, extensions written for old releases will not have to be redone. In particular, we are talking about abstraction over API V8, which gives developers of native extensions a stable environment. Until now, the N-API had the status of an experimental technology, however, in Node 10.0.0 it was transferred to the category of stable API.
In general, N-API is useful to developers of native extensions for Node due to the fact that it gives them a fairly stable means for interacting with the platform. At the same time, ideally, thanks to the N-API, developers of native modules may not worry, for example, which JS engine is used in a particular Node installation.
Experimental support for ChakraCore
As you know, the Node.js platform was initially supported only by the V8 JS engine, but now, as part of the Node-ChakraCore project , work is underway to support Microsoft’s ChakraCore engine in Node. In general, support for Node alternative JS engines is a good trend, which may be of particular interest to IoT developers.
Results
In Node 10.0.0 a lot of new things have appeared. With the development of this platform becomes more productive, convenient and versatile. At the moment, the current release of Node is Node 10.1.0 , in which some bugs were fixed and some things were improved.
Dear readers! Which features of Node.js 10 seem to you the most interesting?
Source: https://habr.com/ru/post/359150/
All Articles