It's heeere: Node.js 17 is out – but not for production use, says dev team

EcmaScript 6 modules will not stop growing use of Node, claims chair of Technical Steering Committee

Node.js 17 is out, loaded with OpenSSL 3 and other new features, but it is not intended for use in production – and the promotion for Node.js 16 to an LTS release, expected soon, may be more important to most developers.

The release cycle is based on six-monthly major versions, with only the even numbers becoming LTS (long term support) editions. The rule is that a new even-numbered release becomes LTS six months later. All releases get six months of support. This means that Node.js 17 is primarily for testing and experimentation, but also that Node.js 16 (released in April) is about to become LTS. New features in 16 included version 9.0 of the V8 JavaScript engine and prebuilt Apple silicon binaries.

"We put together the LTS release process almost five years ago, it works quite well in that we're balancing [the fact] that some people want the latest, others prefer to have things be stable… when we go LTS," Red Hat's Michael Dawson, chair of the Node.js Technical Steering Committee, told The Register.

"We've hopefully shaken out any issues. Actually at Red Hat we only issue binaries for the LTS releases, and that's what I recommend people to use in production."

Having established that Node.js 17 is not primarily intended for production use, what is new? Inclusion of OpenSSL 3.0 is a big one, Dawson told us. "It give us a path to community FIPS (Federal Information Processing Standards)," said Dawson – though the OpenSSL team said last month that FIPS 140-2 validation is still in progress and "the final certificate is not expected to be issued until next year."

FIPS 140-2 covers cryptographic modules, and observance of the standard ensures, a level of security approved by the US government for sensitive information, and requires use of FIPS-approved cryptographic algorithms. There will be some impact on developers if existing application uses disallow algorithms or keys that are too small. A command line option enables use of the now legacy OpenSSL provider if needed. Some distributions of Node.js already provide FIPS support but "community FIPS" will mean better integration with third-party modules.

There are other changes in Node.js 17, including the Readline Promise API, a new feature that enables reading data from a stream one line at a time. Fatal exceptions will now include the Node.js version number. And Node.js can be compiled with GNU++ 17 and Microsoft VC++ 17.

Showing its age?

Is Node beginning to look dated, with its use of CommonJS modules, gradually being replaced by modern ECMAScript (ES6) modules, and advances in browser technology that will reduce the necessity of build processes using the likes of WebPack?

"If you track the usage numbers, 200 million downloads from our site last quarter, 350 million pulls from the Docker container registry. I don't see any trend other than continued growth in usage," said Dawson.

"The project is evolving, we have an ES6 implementation, we have quite a big team working on that. The way the spec was put together made it a challenge to bring together two module systems, there's still some experimental features that we're working on to improve the ES6 implementation and make it easier to adopt. I don't see any problem that ES6 causes to Node adoption or usage."

What is the impact of TypeScript on Node.js? "Some people love it, particularly if you've come from a C/C++ or Java background, on the other hand there's people who feel JavaScript gives them the ability to do things untyped and more quickly and that's part of the value," he added. "For large applications we can see that it makes sense, it helps bigger teams collaborate more easily. For a one-person project maybe not."

There has been an impact though, in that "we think it's good to provide types with your module even if it's not written in TypeScript… we have identified that as something the [Node.js] project should have an opinion on. I can't say what that opinion will be, but everyone agrees that types are an important concept where we should have a plan," said Dawson.

One of the debates is over cases where there are types maintained externally to a module, by people other than the module authors, with the potential for compatibility issues and breaking changes.

"Is there something we should do to improve that situation?" asked Dawson. The APIs tend to be "relatively stable," he said, so problems do not often occur. "You can use Node with TypeScript today quite effectively. " ®

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021