MMS • Bruno Couriol
Article originally posted on InfoQ. Visit InfoQ
The Node.js team recently released Node v20 (Current release). Node v20 will be ready for full production deployments after entering the long-term support (LTS) stage in October. Key features include an experimental permission model for improved security and building Node applications into standalone executables.
Rafael Gonzaga, Node.js TSC Member explained:
With the addition of the experimental Permission Model and updates to V8, Node.js 20 is perfect for testing and assessing how Node.js will fit into your development environment. We have made excellent progress making Node.js more secure and performant over the past year,
Developers can opt in the new permission API with a --experimental-permission
flag that when enabled restricts access to all available permissions. Currently, the available permissions configure access to the file system (e.g., --allow-fs-read
, --allow-fs-write
flags), the spawning of child processes (--allow-child-process
flag), and the creation of worker threads (--allow-worker
flag). For instance, --allow-fs-write=* --allow-fs-read=/tmp/
will allow FileSystemRead
access to the /tmp/
folder and allow all the FileSystemWrite
operations.
Permissions are process-scoped. Developers can thus not deny permissions to just a specific module. A process that has --experimental-permission
will not be able to spawn a child process by default. When the --allow-child-process
flag is enabled, it becomes the user’s responsibility to pass along the correct arguments to spawn the child process with the right permissions. For more information, developers can refer to this pull request and the permission model roadmap.
With Node v20, developers can build their Node applications into a standalone executable (single executable apps) for users who do not have or cannot install Node.js. Single executable app support is available on the Windows, MacOS, and Linux platforms (all distributions supported by Node.js except Alpine and all architectures supported by Node.js except s390x and ppc64). Microsoft is experimenting with single executable apps as a way to reduce vector attacks.
Additionally, the test runner that was introduced in Node v19 is now stable in v20, signaling production readiness. The V8 JavaScript/WebAssembly engine is updated to version 11.3. This makes available new JavaScript APIs, including methods that change Array
and TypedArray
by copy, and a resizable ArrayBuffer
and a growable SharedArrayBuffer
. Node v20 can also leverage V8’s support for WebAssembly tail calls (introduced in v11.2). Lastly, calls to import.meta.resolve()
are now synchronous.
Node.js is open-source software available under the MIT license from the Open JS Foundation. Contributions and feedback are encouraged via the Node.js contribution guidelines and code of conduct.