Node.js 20 Released, Features Experimental Permission Model for Improved Security
Published on April 21, 2023
Node.js recently released version 20 (current release). After entering the long-term support (LTS) stage in October, Node v20 will be ready for full production deployments. There are several key features, including an experimental permission model for improved security and the ability to build Node applications as standalone executables.
When enabled, the –experimental-permission flag restricts access to all permissions available to developers. The current permissions configure access to the file system (e.g., –allow-fs-read and –allow-fs-write flags), the creation of child processes (–allow-child-process flag), and the creation of worker threads (–allow-worker flag). For instance, –allow-fs-write=* –allow-fs-read=/tmp/ will allow FileSystemRead access to the /tmp/ folder and allow all the FileSystemWrite operations.
Permissions are process-specific. It is therefore not possible for developers to deny permissions to a specific module. Normally, a process with the experimental-permission will not be able to spawn a child process. Upon enabling the –allow-child-process flag, the user is responsible for passing along the correct arguments to spawn the child process with the appropriate permissions. Developers may refer to this pull request and the permission model roadmap for more information.
With Node v20, developers can build their Node applications into a standalone executable (single executable apps) for users who do not have or cannot install Node.js. Support for single executable apps is available on Windows, MacOS, and Linux platforms (all Node.js distributions except Alpine, as well as all Node.js architectures except s390x and ppc64). To reduce vector attacks, Microsoft is experimenting with single executable applications.
The Open JS Foundation provides Node.js as open-source software under the MIT license. The Node.js contribution guidelines and code of conduct encourage contributions and feedback.
ChatGPT Is Fun, but the Future Is Fully Autonomous AI for Code at QCon London
A presentation on artificial intelligence (AI) for code writing was given by Mathew Lodge, CEO of DiffBlue, at the…
New Java SE Universal Subscription from Oracle
Since January 2023, Oracle has announced the new Java SE Universal subscription and pricing, which will replace ..