Node.js

v20.11.1 - https://nodejs.org/en/blog/release/v20.11.1 v18.19.1 - https://nodejs.org/en/blog/release/v18.19.1

Hi y'all, sorry if these are really basic questions, but I'm just starting out learning node. I've been developing software for a long time, and web sites / apps for a couple of years, but nothing too advanced yet, mostly in vanilla HTML/JS and a little PHP. I swear I am trying to keep an open mind on all of this but some of these ideas are really new / different for me.

1. Is Express really just for API development, or can I use it to create a basic web app as well? (I've read others saying this but I find this idea confusing -- e.g.: https://alternativeto.net/software/expressjs/ "Express is for building REST APIs (backend). Meteor is for building the full stack webapp")

2. Do you get used to the idea of incorporating other people's code into your node projects? (Because as an older developer, all this "just add this framework which has 122 dependencies of its own" seems like mania. How could you ever say a project built on hundreds of other projects [which all have their own dependencies too] could ever be said to be safe or secure? And won't changes in those projects break my project eventually?)

3. Is there no way to process a POSTed form with just the built-in Node functions when the form enctype is "multipart" -- without adding in Express or some other framework? (I've searched and searched and all the examples I found for doing this without Express assume the form's enctype is "x-www-form-urlencoded" but my form will be used to upload a file.)

Thanks for any advice / info!

Since Node.js v20.6 instead of using the popular dotenv package to read your .env file and make its values available under process.env, you can now pass --env-file .env to node to achieve the same, without a dependency.

Find out more...

Here is an example of the changes needed to upgrade:

config.ts

package.json

Tipp: If you deploy your app as a Docker container, don't forget to add .env to your .dockerignore file, as typically you will explicitly set your environment variables in your deployment and don't want your .env file to interfere with that.

I’ve been intrigued by FxTS and radash lately

Very happy that with the new --experimental-default-type module in Node.js v21 I can write my little helper commands, that I run directly in the terminal using --eval/-e, in ESM syntax now. E.g. to generate a hex JWT secret:

node --experimental-default-type module -e "import crypto from 'node:crypto'; console.log(crypto.randomBytes(32).toString('hex'));"

Find out more...

Key bit:

POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) - Low

Node.js is affected by this vulnerability. The CVE-2023-4807 affects Windows users, and the vulnerability is rated as LOW by the OpenSSL Security Team.

Saved you a click: NIST National Vulnerability Database: CVE-2023-4807