Node.js Digest #4: Node.js Mascot, a Month with Bun, Deno News, and Cloudflare Updates
Key Highlights:
?? Node v20.8.0 ?– as always, packed with lots of improvements and bug fixes.
?? Deno Queue – the Deno team keeps advancing their platform and releasing exciting new features.
?? Deno v1.3.7 – Jupiter Notebooks, enhancements to the VSCode extension, testing API, and Node.js compatibility.
?? Prisma v.5.4.1 – This and previous versions added support for several Serverless databases (PlanetScale, Neon, early support for Turso), along with other improvements.
?? Google Cloud SQL Node.js Connector – has been officially released and is ready for use.
?? Github Actions will fully transition to Node.js v20* by spring 2024.
?? Serverless framework has evolved into ampt.
Mascot for Node.js
Without any storm clouds on the horizon, Node.js might be on the verge of introducing its own mascot, much like Bun or Deno. A lively discussion on this issue has started in the official GitHub repository, full of creative ideas and suggestions. As is often the case, it all began on Twitter and then moved to GitHub, where Matteo Collina proposed to rejigger Node.js' previous mascot and make it official. For those who may not be familiar, the previous mascot looked like this:
In the same discussion thread, developers and community members started sharing their ideas and thoughts on the new Node.js mascot. They drew upon both the developers' creativity and Midjourney's potential. You can check out the results here. I'll just add a teaser: there's a capybara ?? in the mix.
Time will tell what choice the OpenJS Foundation makes and what kind of process is required.
Node.js After the Introduction of Bun
At the time of this digest's release, we've been using the so-called production-ready version of Bun for slightly over a month. It's already evident that we can't seamlessly replace Node.js with Bun on all projects, as the performance advantages aren't always significant. Moreover, over 1.8K registered tickets are already in the official Bun repository.
Meanwhile, the Node.js team faced considerable criticism on Twitter, with claims of insufficient focus on Node.js performance and development of the environment in general:
领英推荐
As a result, some of the contributors found themselves compelled to respond and clarify why the situation with Node.js appears as it does:
Matteo Collina went a step further by creating a dedicated blog post expanding on his tweet, where he shared his thoughts on Bun and what's happening with Node.js. Also, Theo Brown released a video defending the Node.js team and sharing his perspective on Bun.
I'd like to put in my two cents: I believe Bun has the potential to significantly boost the development of Node.js. That's why we're witnessing these proposals popping up in the official Node.js GitHub repository.
Cloudflare and Its New Pricing Policy
Cloudflare is trying to win new shares of the Serverless market and has introduced a change in its pricing policy. Now, developers will be billed solely for CPU time, with no charges for time spent waiting for responses from third-party APIs or other I/O operations. In the previous pricing model, if an operation involved preparing data and sending it to the server with a wait of 200 milliseconds, followed by another 2 milliseconds of processing, you would have to pay for the entire 207 milliseconds.
So, according to the updated pricing policy, you will only have to pay for 5 and 2 milliseconds. This represents a noteworthy difference, and it's intriguing to see how much market share this change will garner for Cloudflare ??.
Be Careful With Dependencies – And Not Just With NPM From Now On
The Phylum team's latest report says that npm dependency attacks are not only persisting but also expanding into new ecosystems, including PyPi. The approach is similar to the one I covered in the previous digest, with attackers now also focusing on SSH keys and kubeconfig files.
You can read more on how all this happens and which packages have already been spotted in the attack at the link above. And it's worth noting that when it comes to risky dependencies, the first line of defense is you, so be mindful of what you install ??.
The good news is that GitHub is stepping up to combat malicious packages. You can read more about their efforts here and here.
This is a shortened version. The full version in English is available in my Medium:
Or in Ukrainian on Dou.ua: https://dou.ua/forums/topic/45653