All users of Node.js on virtual private servers or dedicated servers should update their Node installation to the most recent version, which fixes a critical remote Denial of Service attack. In other Node news, the NPM project released npx — a new tool that makes life easier on Node users — as part of the update to NPM 5.2.
The security issue in Node, which was originally reported by Google’s Project Zero researcher Jann Horn, was caused by a hash flooding vulnerability that has the potential to allow malicious actors to inflict significant disruption on users of vulnerable Node versions. All maintained versions were vulnerable, including the 4.x, 6.x, and 8.x lines. The 7.x line and older unmaintained versions are also vulnerable but are not patched. If you’re using an unmaintained version of Node, update as soon as possible to a maintained version or your system will remain insecure.
Patched versions of Node are available via your Linux distribution’s package manager.
Web developers can have dozens of projects on their development machines, and each project has its own particular set of npm-installed dependencies. A few years back, the usual advice for dealing with CLI applications like Grunt or Gulp was to install them locally in each project and also globally so they could easily be run from the command line.
But installing globally caused as many problems as it solved. Projects may depend on different versions of command line tools, and polluting the operating system with lots of development-specific CLI tools isn’t great either. Today, most developers prefer to install tools locally and leave it at that.
Local versions of tools allow developers to pull projects from GitHub without worrying about incompatibilities with globally installed versions of tools. NPM can just install local versions and you’re good to go. But project specific installations aren’t without their problems: how do you run the right version of the tool without specifying its exact location in the project or playing around with aliases?
That’s the problem npx solves. A new tool included in NPM 5.2, npx is a small utility that’s smart enough to run the right application when it’s called from within a project.
If you wanted to run the project-local version of mocha, for example, you can run npx mocha inside the project and it will do what you expect.
A useful side benefit of npx is that it will automatically install npm packages that aren’t already installed. So, as the tool’s creator Kat Marchán points out, you can run npx benny-hill without having to deal with Benny Hill polluting the global environment.
If you want to take npx for a spin, update to the most recent version of npm.
npm install npm@latest -g