Node.js 20 Released, Features Experimental Permission Model for Improved Security

MMS Founder
MMS Bruno Couriol

Article originally posted on InfoQ. Visit InfoQ

The Node.js team recently released Node v20 (Current release). Node v20 will be ready for full production deployments after entering the long-term support (LTS) stage in October. Key features include an experimental permission model for improved security and building Node applications into standalone executables.

Rafael Gonzaga, Node.js TSC Member explained:

With the addition of the experimental Permission Model and updates to V8, Node.js 20 is perfect for testing and assessing how Node.js will fit into your development environment. We have made excellent progress making Node.js more secure and performant over the past year,

Developers can opt in the new permission API with a --experimental-permission flag that when enabled restricts access to all available permissions. Currently, the available permissions configure access to the file system (e.g., --allow-fs-read, --allow-fs-write flags), the spawning of child processes (--allow-child-process flag), and the creation of worker threads (--allow-worker flag). For instance, --allow-fs-write=* --allow-fs-read=/tmp/ will allow FileSystemRead access to the /tmp/ folder and allow all the FileSystemWrite operations.

Permissions are process-scoped. Developers can thus not deny permissions to just a specific module. A process that has --experimental-permission will not be able to spawn a child process by default. When the --allow-child-process flag is enabled, it becomes the user’s responsibility to pass along the correct arguments to spawn the child process with the right permissions. For more information, developers can refer to this pull request and the permission model roadmap.

With Node v20, developers can build their Node applications into a standalone executable (single executable apps) for users who do not have or cannot install Node.js. Single executable app support is available on the Windows, MacOS, and Linux platforms (all distributions supported by Node.js except Alpine and all architectures supported by Node.js except s390x and ppc64). Microsoft is experimenting with single executable apps as a way to reduce vector attacks.

Additionally, the test runner that was introduced in Node v19 is now stable in v20, signaling production readiness. The V8 JavaScript/WebAssembly engine is updated to version 11.3. This makes available new JavaScript APIs, including methods that change Array and TypedArray by copy, and a resizable ArrayBuffer and a growable SharedArrayBuffer. Node v20 can also leverage V8’s support for WebAssembly tail calls (introduced in v11.2). Lastly, calls to import.meta.resolve() are now synchronous.

Node.js is open-source software available under the MIT license from the Open JS Foundation. Contributions and feedback are encouraged via the Node.js contribution guidelines and code of conduct.

About the Author

Subscribe for MMS Newsletter

By signing up, you will receive updates about our latest information.

  • This field is for validation purposes and should be left unchanged.