Node.js Icon


Node.js is a tool for executing JavaScript in a variety of environments.
196 Stories
All Topics


Moving beyond console.log() — 8 console methods you should use when debugging JS and Node

When talking about the Console API, newbies usually use only some functions like 👌console.log(), ⚠️ console.warn(), or ❌ console.error() to debug their application, while often there are many other methods which can perfectly implement our requirements and improve debugging efficiency.

Guilty! ✋

This article is made to expose some of the most interesting console methods with related examples that I use while teaching at Codeworks. So let’s see a list of the 8 best functions from the Console module!

I have used console.table a few times (totally rad), but there’s plenty of functions here that I haven’t been using (and definitely should be).

Liran Tal Snyk

Sequelize ORM found vulnerable to SQL injection

SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up.

As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.


A simpler, faster alternative to `nvm run`

nve differentiates itself from nvm run because it:

  • can be run programmatically
  • is 10 times faster
  • does not need a separate installation step for each Node version
  • works on Windows
  • does not require Bash
  • is installed as a Node module

Worth noting: this is not a full-on replacement for nvm or any other version manager. It only executes a single command with the specified Node version. But sometimes, that’s all you need. 😄


Sqlite To Rest

LGTM, but why?

Mostly because I wanted to dig deeper into node web server code, but also because I haven’t jumped onto the NoSQL bandwagon and think that web APIs are extremely useful. The result is a modest attempt at automating the CRUD boilerplate that every developer hates, while following the specs to make API consumption intuitive. I chose sqlite to keep the database side of things simple, with the intent that the API isn’t serving heavy loads.

Liran Tal

How to securely build Docker images for Node.js

Liran Tal:

Developers, often lacking insights into the intricacies of Docker, may set out to build their Node.js-based docker images by following naive tutorials which lack good security approaches in how an image is built. One of these nuances is the use of proper permissions when building Docker images.

To minimize exposure, opt-in to create a dedicated user and a dedicated group in the Docker image for the application; use the USER directive in the Dockerfile to ensure the container runs the application with the least privileged access possible.

Chi Wang

Deskgap — build cross-platform desktop apps with web technologies

Stop me if you’ve heard this one before…the difference is DeskGap leverages the operating system‘s webview instead of baking a browser in with it (like Electron).

DeskGap is a framework for building cross-platform desktop apps with web technologies (JavaScript, HTML and CSS).

To enable native capabilities while keeping the size down, DeskGap bundles a Node.js runtime and leaves the HTML rendering to the operating system‘s webview.

Evan You

Build your own Mint (finance analytics) with Plaid, Google Sheets, and CircleCI

Mint is super cool, but handing over your precious financial information to a 3rd-party is always a bit nerve-racking. Evan You’s new Node app builds a bridge between Plaid (for bank access) and Google Sheets (for data storage) so you can roll your own system.

Now you only have to trust your precious financial information to two 3rd-parties 😉. But! This is open source so at least you don’t have to trust the application code.

Eran Hammer Medium

Why you should consider hapi

Eran Hammer makes the case for hapi as your Node web framework of choice. We’ve been talking about dependencies a lot lately due to recent events. In light of that, think about this:

hapi was the first (and still the only) framework without any external code dependencies… I personally (and manually) review every single line of code that goes into hapi (excluding node itself). I review every pull request on every dependency regardless if I am the lead maintainer.

That’s quite the selling point! He has a lot of great reasons why hapi is worthy of your consideration. Click through for the hard pitch.

Sindre Sorhus

Small focused modules

This was from an AMA, but Sindre turned it into a blog post since his response was so popular. Also, his answer applies particularly to Node.js. Sindre writes on his blog:

Make small focused modules for reusability and to make it possible to build larger more advanced things that are easier to reason about.

And, also…

It doesn’t matter if the module is one line or hundreds. It’s all about containing complexity. Think of node modules as Lego blocks. You don’t necessarily care about the details of how it’s made. All you need to know is how to use the Lego blocks to build your Lego castle. By making small focused modules you can easily build large complex systems without having to know every single detail of how everything works.


The Node.js Foundation and JS Foundation intend to push the merge button

Hot off the press:

An intent to merge means that we the boards of both Foundations have agreed to public discussions related to a possible merger. We have not made any formal decisions at this point regarding a new or merged Foundation and its potential organizational structure, governance policies, technical framework or leadership. This will be formalized based on feedback from the Node.js and JavaScript communities.

There will be a panel and Q&A at Node+JS Interactive next week and you know that the JS Party crew will be there with the full coverage. 💪


Getting rid of node_modules

The Yarn team is brewing up a new way to resolve dependencies:

this RFC a new alternative and entirely optional way to resolve dependencies installed on the disk, in order to solve issues caused by the incomplete knowledge Node has regarding the dependency tree. We also detail the actual implementation we went with, describing the rational behind the design choice we made.

Pretty exciting if/when they pull it off. The wins:

  • Installs ran using Plug’n’Play are up to 70% faster than regular ones (sample app)
  • Starting from this PR, Yarn will now be on the path to make yarn install a no-op on CI
  • Yarn will now be able to tell you precisely when you forgot to list packages in your dependencies
  • Your applications will boot faster through a hybrid approach of static resolutions

Apoorv Saxena

Asynchronously resolve subscribed decisions in a pub/sub architecture (pure JS)

AsyncResolver.js implements a PubSub architecture where subscribers of events are decision makers (return promise when they receive an event) and after publishing an event, publisher gets the decision of the subscribers. Supports both Node and browser.

The README has more details on when this might be useful to you.

Fedor Indutny

HashWick V8 vulnerability

Get the backstory on the Hash Seed guessing game and HashWick from Fedor Indutny:

About one year ago, I’ve discovered a way to do a Denial-of-Service (DoS) attack on a local Node.js instance. The process involved sending huge amounts of data to the HTTP server running on the same machine as the attacker, and measuring the timing differences between various payloads. Given that the scope of attack was limited to the same machine, it was decided by V8 team and myself that the issue wasn’t worth looking in yet. Nevertheless, a blog post was published.

This year, I had a chance to revisit the Hash Seed guessing game with restored enthusiasm and new ideas. The results of this experiment are murky, and no fix is available yet in V8. Thus all V8 release lines are vulnerable to the HashWick attack.

Fedor also mentioned that this issue was disclosed responsibly and this blog post was published 90+ days after the initial report.

0:00 / 0:00