Node.js Foundation: Our security process is 'top notch'

The organization also plans more of a global outreach to boost the platform in anticipation of Node.js 6's arrival in Spring of 2016

Node.js Foundation: Our security process is ‘topnotch’

Node.js, often called Node, has caught fire at enterprises, providing a server-side, event-driven JavaScript platform leveraging the Chrome V8 JavaScript engine. After recent turmoil involving a forking of the platform and a couple of security issues, the Node.js Foundation is moving forward in unity with further improvements and expanded outreach.

During the recent Node.js Interactive conference in Portland, Ore., InfoWorld Editor at Large Paul Krill spoke to Mikeal Rogers, Node.js Foundation community manager, and later to PayPal’s Danese Cooper, chairperson of the Node.js Foundation board of directors. Topics of discussion included upcoming and recent Node releases, Node security, and where the platform is headed. 

InfoWorld: You’re going to be speaking about growth and goals of the Node.js Foundation. What are you going to say?

Rogers: The Node community is growing 100 percent year over year. We’ve now gotten the core project to the point where half of the contributors every month are new to the project, so we’re actually converting users into contributors to Node even faster than the Node community is growing. That’s been a huge triumph for the liberal contribution agreements that we started to create, of the foundation in general, and of open participatory governance.

InfoWorld: Why has it grown so much?

Rogers: Mainly because we’ve designed the contribution process in a way that encourages both contributions and for contributors to stick around. For a lot of projects, especially when they get to Node size, there’s a lot of incentive for you to be very guarded about commit rights and access and changes in general. While we’re aware of stability issues and were clear about what is not going into LTS [Node Long-Term Support releases] and what is, we’ve designed the process in such a way that more casual contributors can easily find their way to get their code into the project.

InfoWorld: Node.js 5 was released in late October. With Node.js 6 coming in April, what’s going to be in it?

Rogers: We don’t quite know yet. There will definitely be a new V8 [JavaScript engine] and there will be new features, new ES2015 features. But there’s nothing that we know for sure is going to be in there that isn’t in there yet, to be honest.

InfoWorld: What is the community looking for from Node? I’ve read discussions about Node memory leaks, and of course Node had this big security issue a couple of weeks ago. Are those two areas going to be addressed, or is Node really not worse off for security and memory leaks than other platforms are?

Rogers: Actually Node grade-wise is doing better in security than most other platforms. We have one of the most secure out-of-the-box SSL configurations. The Linux Foundation has helped us revise our security policies and procedures so we have a very top-notch security process now for dealing with vulnerabilities. When you’re a platform our size, you’re going to have vulnerabilities. It’s really a matter of how you respond to them and how well you can get the community to actually upgrade.

InfoWorld: What about memory leaks? Do you see that as a big issue with Node?

Rogers: We’ve done a lot of work there. Idle known memory usage is lower than it’s ever been. We have more profiling tooling than we’ve ever had before for finding memory leaks. There is also new tracing stuff coming down the pipe that’s going to help that as well. The V8 team is implementing a new tracing system that we’ll be using in Node so that will open up the door to a whole new slew of tooling around tracing.

InfoWorld: Microsoft is going open source with Chakra, and apparently they want Chakra as a substitute JavaScript engine for Node instead of V8. How does the Node.js Foundation feel about that?

Rogers: Microsoft had a build of Node for a while about this, and the whole TSC (Node technical steering committee) was pretty positive about it and the foundation was pretty positive about it. Now that they’ve open-sourced it, they can actually contribute that back to the core, which is great. Now we can actually get that in core, and we can integrate it into our testing and build infrastructure. We can make sure that we don’t break it. For the Node community this is just a great thing. It gets Node more places. It gets Node onto Xboxes and in the hands of developers that want to do Xbox applications with Web technologies or use Web technologies for Windows 10 IoT devices.

InfoWorld: There was a quote read in that last presentation today from analyst Michael Facemire: “Adoption of JavaScript and Node sets the stage for the biggest shift in enterprise application development in more than a decade.” Do you agree with that?

Rogers: Yes, definitely. Java and .Net have dominated services for a very long time. There’s been a lot of new development languages that have come out in the last 10 years and none of them have really penetrated and become a third language in the enterprise tool chain like Node has. We get a lot of input about that. We have demand for new services because we have enterprise developers coming in. We have new types of contributors coming on board that are from enterprise companies that have new needs. We’ve been seeing this for a while, and the trend line is only going up.

InfoWorld: In the last presentation, the speaker listed some companies that are using Node, including Uber, Target, Walmart, SAP, and NBC. Why the uptake? Is it because there are so many JavaScript developers out there?

Rogers: We see three main areas of adoption. There’s IoT, there’s new front-end tooling like the new Web tooling that people use in building front ends, and then there’re the back-end services. So that’s enterprise startups, anybody running stuff in microservices in Docker. We see adoption in most companies in both front-end tooling and in back-end services. It’s a familiarity. You have to use JavaScript to work on the Web. You end up using front-end tooling with Node and then all of a sudden you have a new services tier that your front-end team is more familiar with that now talks to the Java back-end team. It’s been there for a while and that’s how they started getting the microservices up.

InfoWorld: What’s happening with io.js?

Rogers:   [Node and io.js] merged. The repository that we call Node right now was renamed from io.js to Node.

InfoWorld: Are there still separate releases of io.js?

Rogers: No. We consider those releases of Node now. We consider former io.js releases as releases of Node. Also, the entire governing body of io.js is now part of the governing body of Node, and all of the code was merged.

InfoWorld: Do you see Node displacing a lot of other platforms such as Java, PHP, or Ruby?

Rogers: I don’t like to use the term "displace" because it builds on this assumption that running software gets taken down and replaced with Node. If you have running, working software, that software stays up for a very long time. What we see is that adoption within those companies for their new projects and for new code is moving to Node. We’re seeing that we own the majority of growth in a lot of these places. We see more companies adopting Node for more new things than we see them using some of the languages that they’ve traditionally used whether it’s PHP or Java or .Net or whatever.

InfoWorld: IBM’s James Snell, a TSC member, today talked about how io.js had the velocity of improvements whereas Node had the enterprise stability. Would you agree with that?

Rogers: When you’re not making changes, you’re very stable. When you’re not doing a lot of changes and you’re just taking critical bug fixes, you’re definitely in a state of stability. Every time we do a major release we break a bunch of native modules and the whole ecosystem has to catch up, but it’s also not sustainable to do that forever. You do have to make some changes and make some improvements. Node 0.10 is very stable.

InfoWorld: That was before this plethora of Node releases in the last few months, right?

Rogers: Right, but we’re confident that Node.js 4 is better in every respect than 0.10 and, for that matter, 0.12. We fully believe now that Version 4 is what all enterprises should be moving to. It’s faster, it has a lower memory footprint, it’s more stable, and it’s more secure. There are only improvements and there’s no decrease in stability from other Node releases to 4.

InfoWorld: Danese, I wanted to ask you about your presentation on Node.js's future. What do you see as the next era of Node?

Cooper: Well, we just accepted Libuv [a multiplatform support library focused on asynchronous IO] into our umbrella. It’s a project that we’re dependent on, and there are a couple of other projects floating around that are unaffiliated with any foundation and waning in contributors that we might also be looking at. Then, there are a couple of really famous projects that are obvious ones that need the same kind of support and behavior. Think of us as a sort of an Apache focused around Node, if you will. We’re just figuring this out. Libuv is the first one that the technical committee has really felt strongly about taking on.

InfoWorld: So the next era of Node is going to be more third-party projects incorporated under the Node.js Foundation umbrella?

Cooper: [It will be] filling out what Node is, with all of the things that people use along with Node so that it becomes more and more an ecosystem of like-minded people -- in the same way it's has been done under other foundations for other projects. That’s going to be a big part of it. Also, getting the message out more widely. It’s a global project and we started this as a U.S. foundation for good reasons, but it’s important for us to keep working with the global community and so I think we’re planning to physically show up in a lot of places over the next year.

InfoWorld: How is Node working out for PayPal?

Cooper: Node works incredibly well for us. The main gap that we wanted to see filled was more scalability, so we built Kraken that lives on top of [the Express Node extension] and it works pretty well.

InfoWorld: There was a security issue with Node recently, and I guess you could look at it two ways: that either Node needs some security improvements or the fact that the Node people were so open about it. What was PayPal’s reaction to the denial-of-service and the out-of-bounds security issues that were found?

Cooper: As you might imagine, because PayPal is involved in financial transactions we spend a lot of time on security. We weren’t affected by those issues and Node is not our first line of defense for security. We have lots of other stuff we do. We have a whole team that is very, very focused on making sure that anything that gets put into production is very secure. We don’t just take it off the shelf and use it; we modify everything.

Copyright © 2015 IDG Communications, Inc.