LoopBack Drops Support for Node 0.10 and 0.12

At the end of October 2016, the Node project stopped official support of version 0.10. At the end of 2016, the project will also stop supporting v0.12. The primary trigger was that the OpenSSL project no longer supports the OpenSSL versions included in Node v0.10 and 0.12. As a result, there will be no more security fixes for OpenSSL in these release lines.

How is LoopBack dealing with these changes?

The LoopBack team has long wanted to use ECMAScript 6 (ES6, also known as JavaScript 2015) constructs such as the classes and arrow functions. But doing so would require raising the minimum supported version of Node. We started the discussions many months ago, but the need to support users running on old Node versions outweighed benefits of ES6.
Read more

JavaScript ES6 Variable Declarations with let and const

Everyone in the JavaScript world is talking about ECMAScript 6 (ES6, a.k.a. ES 2015) and the big changes coming to objects (class, super(), etc), functions (default params, etc), and modules (import/export), but less attention is being given to variables and how they are declared. In fact, some attention is being given, but perhaps without the right focus. I recently attended the jQuery UK conference where Dave Methvin gave a nice overview of ES6, with some great attention on let and const.

In this article I wanted to cover these two new keywords for declaring variables and differentiate them from var. And possibly more importantly, I want to identify what some folks are considering the new standard for declaring variables in ES6. The basic idea here is that let should, in time, replace var as the default declaration keyword. In fact, according to some, var should simply not be used at all in new code. The const keyword should be used for any variable where the reference should never be changed, and let for anything else.

Read more

Are Node and io.js affected by the “FREAK Attack” OpenSSL vulnerability?

Recently a security vulnerability, dubbed “FREAK Attack” was reported that affects certain versions of OpenSSL, the popular open source encryption library which is used in many server products such as Apache.

Specifically, the ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.

Fortunately, both Node.js v0.10.36, v0.12 and io.js are not affected by the reported vulnerability. They use a version of OpenSSL that is more recent and in which the affected vulnerability has already been fixed.

In older versions of Node.js (0.10.35 and older, including all versions of v0.8.x) the TLS client uses default OpenSSL cipher suites, which makes them vulnerable. To the users of those Node versions, our recommendation is to upgrade to v0.10.36. as soon as possible.

For details about the vulnerability reported visit:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204

Running Node or io.js in production?

SingleApp_Multi_Server

Check out StrongLoop Arc, a graphical interface for deploying, monitoring and scaling Node apps. Now with process management capabilities including nginx and multi-host support.

Node.js is Enterprise Ready: Open Governance, v0.12 and Big Growth Numbers!

It has been an exciting year so far for Node! Not only has there been tremendous adoption by Node in the enterprise, but in the last week we’ve also seen Node v0.12 finally get released plus the Node project officially move into a foundation with an open governance model.

Node adoption in the enterprise is growing fast

The enterprise is gravitating towards Node with increasing intensity because of its proven performance characteristics, its ability to retain and leverage the skills of JavaScript developers and the ability to deliver projects faster than other languages can. Typical use cases driving the incredible popularity of Node include:

  • API servers – the “glue” that connects devices and apps to data
  • Mobile – backends and full-stack JavaScript hybrid apps
  • Internet of things (IoT) – the exponential rise of connected devices
  • Web – HTTP servers and single page apps

Companies who have gone public about their Node usage or are actively recruiting developers to work on Node projects include some surprising names. Companies like:

  • Whole Foods Market
  • Best Buy
  • Target
  • Wells Fargo
  • Fandango
  • GoDaddy
  • Staples
  • PG&E
  • Macy’s

Read more

Node.js v0.12 is Now Available With Improvements to Clustering and Performance

The Node.js community along with StrongLoop, the leading provider of enterprise solutions for Node, are excited to announce the availability of Node v0.12. Today’s release includes improvements to the scalability, performance and availability characteristics of Node. This latest release will continue to help drive the rapid adoption of Node in the enterprise to build API servers, mobile backends plus emerging Internet of Things (IoT) applications.

New in this release

For a complete overview of what’s new, check out the comprehensive “New Features in Node.js v0.12” page.

Read more