
Node v8.8.0 - nikolay
https://nodejs.org/en/blog/release/v8.8.0/
======
nikolay
Notable Changes

* crypto:

\- expose ECDH class

* http2:

\- http2 is now exposed by default without the need for a flag

\- a new environment varible NODE_NO_HTTP2 has been added to allow userland
http2 to be required

\- support has been added for generic Duplex streams

* module:

\- resolve and instantiate loader pipeline hooks have been added to the ESM
lifecycle

* zlib:

\- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to
be raised when a raw deflate stream is initialized with windowBits set to 8.
On some versions this crashes Node and you cannot recover from it, while on
some versions it throws an exception. Node.js will now gracefully set
windowBits to 9 replicating the legacy behavior to avoid a DOS vector.

~~~
chrisseaton
‘Userland’ http2? As opposed to being implemented as a Linux kernel module?

~~~
gabrielcsapo
No, there is an npm package that has the same name. Userland === npm package

~~~
10000100001010
I think it would be Userland instanceof npm package === true

~~~
the_gipsy
that might not work in an iframe ;)

------
j_s
In case anyone missed it, a Node module used in production at Bing to multi-
thread shared memory for CPU-intensive work hit the big time last week.

[https://github.com/Microsoft/napajs/wiki/Why-
Napa.js](https://github.com/Microsoft/napajs/wiki/Why-Napa.js) a bit edited:

1) quick iteration

2) multiple cores

3) share memory with structures

4) fine granularity parallelism, minimizing communication cost

Discussion:
[https://news.ycombinator.com/item?id=15498219](https://news.ycombinator.com/item?id=15498219)
(Oct 2017, 201 comments)

------
partycoder
Some info about CVE-2017-14919 here:
[http://nodejs.org/en/blog/vulnerability/oct-2017-dos/](http://nodejs.org/en/blog/vulnerability/oct-2017-dos/)

To test if your version is affected:

    
    
        zlib.createDeflateRaw({windowBits: 8})

------
hanley
Is version 8 still planned to enter active LTS on 10/31? Or does this release
mark the beginning of LTS?

------
SimeVidas
Does it server-push my Link preload header resources?
([https://w3c.github.io/preload/#server-push-
http-2](https://w3c.github.io/preload/#server-push-http-2))

~~~
BillinghamJ
That would typically be implemented by a proxy or service like Cloudflare. The
server itself should not do this based on header contents - instead the
application should use the push protocol directly:
[https://nodejs.org/api/http2.html#http2_http2stream_pushstre...](https://nodejs.org/api/http2.html#http2_http2stream_pushstream_headers_options_callback)

It wouldn't be appropriate for the http2 core module to do this implicitly,
but I wouldn't be surprised if higher level server abstractions, such as
Express, did implement such a feature (though imo it'd still be better to not
use the Link header).

It's also likely to work a lot better for a caching proxy to perform this
action rather than the source server - since it can cache the contents of the
resources being pushed.

------
knocte
How efficient is to have an HTTP2 server serving sever-push events to
thousands of clients? Better than websockets I assume.

~~~
manigandham
Do you mean Server-Sent Events? That's a well-supported and efficient model
that'll work fine, although the payload will always be heavier than websockets
since all the headers have to be sent, even if compressed within the HTTP/2
stream. It's also not supported on IE or Edge.

If you actually mean server-push then that would basically be long-polling and
not very efficient, also it's meant to send along assets that the server
already knows will be needed for a request (like CSS with the HTML). There's
not much client-side API to actually deal with server-push because it's just
like another network http request/response.

~~~
Touche
Server push is not like long polling because the connection is shared. You
could keep a stream open and push messages as needed. This already sort of is
possible with fetch in the browser, but iirc there are some things the spec
authors are working on for this use case.

~~~
manigandham
You can't do much with these assets. These are plain network requests as far
as the browser is concerned so there's no API logic for your JS code to use.
You're limited to just forcing the browser to download more things and it can
also choose to ignore these push requests.

~~~
Touche
You can do whatever you want with them. For example, let's say you push
/api/todos and your client-side code does a `fetch('/api/todos')`. This stream
stays open, and the client code can receive each message as they come in,
using ReadableStream.

Now the server, having this connection open can later push more data into this
/api/todos stream. Boom, you have websockets. Without needing a separate port
and connection.

~~~
manigandham
You just described long-polling: holding the connection open until the
response arrives or it times out.

Even if you just send push-promises and push-responses while keeping the
original response stalled (and the browser accepts the response), the client-
side JS still has no idea what those requests were or what was loaded.

SSE is the evolution of long-polling so that browsers already include the
logic to keep a connection open with streaming updates so that you can avoid
all this in the first place.

~~~
Touche
This differs from long polling in that http2 doesn't create a new connection.
Also long-polling is request and then response, whereas http2 is (like
websockets) full duplex.

------
nikcub
I'd like to see the non-LTS version of node in 8.x move to OpenSSL 1.1 and
expose more: scrypt, schnorr, curve25591, bn etc.

There is no good internal password storage, and bitcoin operations require
bringing in most libs

~~~
jorangreef
scrypt:
[https://github.com/nodejs/node/issues/8417](https://github.com/nodejs/node/issues/8417)

~~~
nikcub
Not sure if you read that issue because it was closed as it depends on OpenSSL
1.1.

Fire up 8.8.0 and you'll find crypto.scrypt is undefined.

nodejs will have to get the OpenSSL 1.1 upgrade in as the support period for
nodejs 8.x exceeds the support period for OpenSSL 1.0.x

First attempt was made here[0]

[0]
[https://github.com/nodejs/node/pull/11828](https://github.com/nodejs/node/pull/11828)

~~~
jorangreef
"Not sure if you read that issue because it was closed as it depends on
OpenSSL 1.1."

Sure, I opened the issue.

I provided the link so you can follow it.

It would be great to have scrypt in Node, as well as argon2 and DJB's
chacha20+poly1305.

------
raresp
NodeJS will be way faster with the HTTP/2 support. GG!

------
darkhorn
Can I use client side certificates with http2?

------
sanxiyn
Does anyone know what happened to Ayo.js?

~~~
freedomben
It would be great to hear from an insider, but it seems to me like they are
having a little difficulty establishing organization around roles/permissions.
Also the GitHub repo hasn't seen any commits in a month.

~~~
threatofrain
[https://github.com/ayojs/ayo/graphs/commit-
activity](https://github.com/ayojs/ayo/graphs/commit-activity)

~~~
tinus_hn
You are in a maze of twisty pronouns, all alike.

Seems like they got stuck on discussing codes of conducts and genders and
forgot to do actual work.

~~~
syshum
Well they do use the slogan "Humans before technology." so I am sure "the
community" is more important than any kind of actual technology, code or
advancement of node

