It's heeere: Node.js 17 is out – but not for production use, says dev team

EcmaScript 6 modules will not stop growing use of Node, claims chair of Technical Steering Committee


Node.js 17 is out, loaded with OpenSSL 3 and other new features, but it is not intended for use in production – and the promotion for Node.js 16 to an LTS release, expected soon, may be more important to most developers.

The release cycle is based on six-monthly major versions, with only the even numbers becoming LTS (long term support) editions. The rule is that a new even-numbered release becomes LTS six months later. All releases get six months of support. This means that Node.js 17 is primarily for testing and experimentation, but also that Node.js 16 (released in April) is about to become LTS. New features in 16 included version 9.0 of the V8 JavaScript engine and prebuilt Apple silicon binaries.

"We put together the LTS release process almost five years ago, it works quite well in that we're balancing [the fact] that some people want the latest, others prefer to have things be stable… when we go LTS," Red Hat's Michael Dawson, chair of the Node.js Technical Steering Committee, told The Register.

"We've hopefully shaken out any issues. Actually at Red Hat we only issue binaries for the LTS releases, and that's what I recommend people to use in production."

Having established that Node.js 17 is not primarily intended for production use, what is new? Inclusion of OpenSSL 3.0 is a big one, Dawson told us. "It give us a path to community FIPS (Federal Information Processing Standards)," said Dawson – though the OpenSSL team said last month that FIPS 140-2 validation is still in progress and "the final certificate is not expected to be issued until next year."

FIPS 140-2 covers cryptographic modules, and observance of the standard ensures, a level of security approved by the US government for sensitive information, and requires use of FIPS-approved cryptographic algorithms. There will be some impact on developers if existing application uses disallow algorithms or keys that are too small. A command line option enables use of the now legacy OpenSSL provider if needed. Some distributions of Node.js already provide FIPS support but "community FIPS" will mean better integration with third-party modules.

There are other changes in Node.js 17, including the Readline Promise API, a new feature that enables reading data from a stream one line at a time. Fatal exceptions will now include the Node.js version number. And Node.js can be compiled with GNU++ 17 and Microsoft VC++ 17.

Showing its age?

Is Node beginning to look dated, with its use of CommonJS modules, gradually being replaced by modern ECMAScript (ES6) modules, and advances in browser technology that will reduce the necessity of build processes using the likes of WebPack?

"If you track the usage numbers, 200 million downloads from our site last quarter, 350 million pulls from the Docker container registry. I don't see any trend other than continued growth in usage," said Dawson.

"The project is evolving, we have an ES6 implementation, we have quite a big team working on that. The way the spec was put together made it a challenge to bring together two module systems, there's still some experimental features that we're working on to improve the ES6 implementation and make it easier to adopt. I don't see any problem that ES6 causes to Node adoption or usage."

What is the impact of TypeScript on Node.js? "Some people love it, particularly if you've come from a C/C++ or Java background, on the other hand there's people who feel JavaScript gives them the ability to do things untyped and more quickly and that's part of the value," he added. "For large applications we can see that it makes sense, it helps bigger teams collaborate more easily. For a one-person project maybe not."

There has been an impact though, in that "we think it's good to provide types with your module even if it's not written in TypeScript… we have identified that as something the [Node.js] project should have an opinion on. I can't say what that opinion will be, but everyone agrees that types are an important concept where we should have a plan," said Dawson.

One of the debates is over cases where there are types maintained externally to a module, by people other than the module authors, with the potential for compatibility issues and breaking changes.

"Is there something we should do to improve that situation?" asked Dawson. The APIs tend to be "relatively stable," he said, so problems do not often occur. "You can use Node with TypeScript today quite effectively. " ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022