How To Secure Flutter Mobile Apps?

 

Day by day the popularity of flutter is increasing among developers and entrepreneurs. Flutter has emerged as one of the leading and popular cross-platform app development frameworks because of its integral capability to deliver best native user experience, faster development through code reusability, faster app testing and deployment through high reloading features etc. And when it comes to app development, biggest concern for programmers and customers is security. As most people use mobile apps for shopping, ordering food, and money transactions, it becomes essential to secure your app. Hence here we came with some tips to secure your flutter app. Let’s have a look. 

Know the latest features of Flutter 2.5 at- What’s New In Flutter 2.5 And Dart 2.14?

How To Secure Flutter Mobile Apps?

1. Secure CI Infrastructure-

You should know what’s going on in your VM’s and workflows depending on whether your CI infrastructure is self-hosted or using services like Github actions.

Updates-

So as to ensure your apps are running in a secure environment, you must keep your VMs up-to-date or be on a lookout for security vulnerabilities.

Secrets-

You should not commit API keys or related sensitive data in your code, rather you add them on secrets settings of your project. Other services such as Bitrise provide the same option to store secrets.

2. Secure Developer Identity-

Files such as keystore, keystore.properties, Google service account or any secrets that can reveal developers identity must be encrypted at all times when tracking in repository.

Create a directory and use GPG to encrypt it.

cd android
gpg --symmetric --cipher-algo AES256 android_keys.zip

Encrypt sensitive files, for example, key.jks and keystore.properties

Ignore and don’t keep track of unencrypted sensitive files.

# Ignore Android keys
key.jks
key.properties
service_account_key.json
Android_keys.zip

3. Secure User Data-

PII(Personally Identifiable information) is the most critical data that you don’t want to store on your apps, because unfortunately,if revealed, the company is in big trouble. But there are some cases where PII is required, for instance, for offline-first apps. Whenever required, you can use flutter_Secure_store to store PII or other sensitive data like auth token.

In short, Flutter secure storage is a package that makes use of Keystore for android and Keychains for iOS. Both of them are considered a standard in terms of security-sensitive data to user’s mobile devices.

Caching-

To store sensitive data other than PII, it will be better to use Hive for performance gain, though it needs more setup. It uses AES-256 encryption that helps you to secure the data of users from unwanted exploit or tampering. 

Tip- To secure the users data, don’t store it in plain text.

4. Restrict Network Traffic-

Generally the apps are connected to the internet, whether to a third-party service provider or to their own servers. Also, the app exchange carried out on a Transport secure layer (TLS) to provide a secure connection between mobile apps and your servers.

Trusted network-

Way to restrict network traffic or connection to an unsecured endpoint is via explicitly whitelisting your domain.

For Android:

res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <trust-anchors>
            <certificates src="@raw/my_ca"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

For iOS-
ios/Info.plist

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <false/>
  <key>NSExceptionDomains</key>
  <dict>
    <key>cocoacasts.com</key>
    <dict>
      <key>NSIncludesSubdomains</key>
      <true/>
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
</dict>

Certificate pinning-

Implement certificate pinning for apps to restrict the secure connection to specific certificates. It ensures that the connection between apps and servers is authentic and trusted. Without certificate pinning, hacker can eavesdrop or tamper data when on transit using hacked or self-signed certificates.

5. Secure API Keys-

There are various formats of keys, but generally it is in the form of a String. If it is not encrypted or obfuscated, it will be easier for hacker to use your API keys.

Read More

Top 10 DevOps Trends For 2022

DevOps is a collaborative process of software delivery that brings together the business teams, development teams and operational teams. It is a set of practices and ideas that relate to flexible, quick and efficient development. With the frequent communication, DevOps engineers ensure that the product in development matches the market requirement. Programming approach of DevOps offers some benefits as the teams collaborate to deliver a product that works in the market. Those benefits include rapid development, enhanced collaboration and responsiveness, more time-to market, etc. One of the main reason of popularity of DevOps consulting is, it enables high-quality software delivery. And following the latest devops trends and best practices will help you to deliver the best in class product. So here we’ll discuss the DevOps trends and best practices for 2022.

Top 10 DevOps Trends For 2022

1. Application Of DevSecOps-

DevSecOps is a new trend for DevOps that refers to the involvement of security and DevOps. However it might appear to be a new concept, it has been being used recently. All the vulnerabilities, attacks and security breaches causes several issues around the different networks. DevSecOps has sorted out the agile security network that will sort out the security issues and then incorporate the new technologies for keeping all kinds of hazards.

DevOps can reduce cost and speed up things. According to the verified market research reports, worldwide DevSecOps market value was $ 2.18 Billion in the year 2019 and will reach-out$ 17.16 Billion by 2027. It has been increasing at a CAGR of 30.76% from 2020 to 2027. Latest trends and future DevOps predictions suggest that DevSecOps systems ensure the security aspect of the system.

2. Microservice Architecture-

Microservices architecture is a cutting edge application in 2021. It divides data into chunks and independent units that are scalable and flexible. According to DevOps prediction for 2022 , there will be little bit changes in cycle that turns out to be free from hassle. Global microservices architecture market value was $2,073 million in 2018 and is predicted to reach $8,073 million by 2026.

In DevOps, there has been a necessity for deployment of the new version, and you just can’t proceed with the deployment of the minor highlights or the functionalities. This way, there has been an involvement of the microservice architecture. DevOps with microservices architecture is overwhelming the complications that it includes by allowing supply cycles. Customization will also be inclining toward the rise of the scaling choices.

3. DevOps Automation-

It is necessary for most enterprises today. Development teams spend a lot of time to fill the manual forms, creating change requests and logging into portals. Manual processes disturb the essential task and development lifecycle. DevOps automation is becoming common because companies move to understand data in a great way and automating manual processes. This allows programmers to focus on app development and results in faster delivery of products.

https://solaceinfotech.com/blog/top-10-devops-trends-for-2022/

 

Reduce App Development Cost With React Native- How?

According to the recent survey, it has been analyzed that users spend more time on mobile apps for travel bookings, shopping, food order and so on. So developing a cross platform app is the best thing that will help you to establish yourself in the market and get a secure place. Mobile app development is not simple as it looks. Developers need to perform various assignments and go through various improvement stages so as to deliver effective and functional mobile apps. Choosing a cross platform app development will help you to reduce the overall app development cost because building a native app separately for each platform will be time consuming and costly too. While developing an app, some questions come to the developer’s mind-

• How to fulfill the client’s requirements while maintaining the overall cost of mobile app development?
• What are the ways to decrease the app development cost and time?
• How can they cut the cost without compromising any app aspect or feature?

And the answer to all these questions is ‘React Native’. Let’s have a look at why you should use React native frameworks and how it will reduce app development cost.

Why Should You Go For React Native Frameworks?

As we all know, the mobile app development industry is in the limelight so it is a perfect time to take over the market by entering with the cross platform app. React native is one of the most commonly used cross-platform frameworks among developers. For react native app development, some elements are important, such as features, highlights.

Let’s see the details of factors that affect the app development cost-

1. Mobile App Platform-

Developing an android app or ios app depends on the app’s requirements and its targeted audiences. Every platform comprises different tools and programming languages, and the UI/UX design of an iOS app changes in comparison to an android app. So, choose the best platform that will work best for your app.

2. Features-

Features are an important part of an app and its integration is based on the app type that you are developing. More features will complex the app so it will be better to avoid the unnecessary features.

3. UI/UX App Design-

App design should be unique and impressive. You can go with the native app design consisting of Android and iOS ready templates. Also you can go with the custom design option but it takes more time and cost.

4. Backend Development-

Businesses want software with the latest features, a large database and access to all the possible elements. Backend process manages and store the data while ensuring the smooth app working on the client-side. So the entire cost can be dependent on variables included in the backend process.

How Does React Native Help To Reduce The App Development Cost?

1. Faster Development-

Developing apps for individual platforms is so time-consuming and needs more development efforts and cost also. It is better to adopt the cross-platform mobile app development solution with the help of React Native. It will be better for businesses to spend less time on app development and more on building strategies. Compatibility with cross-platform solution is more effective and fast solution as compared to old native methods. Maintaining similar code for android and iOS will be easy for developers also.

2. Low UI Cost-   

Read more

 

How To Choose The Right Headless CMS?

We have seen a major shift in CMS(Content management system) in recent years. Lots of companies are through digital transformation so they are looking for ways to become more agile and deliver modern digital experiences. They want to adapt new technologies and methodologies, like cloud, microservices, front-end frameworks, or DevOps. Eventually, they realize their legacy content management solutions hold them back. If you’re also facing the same issue, then this blog is for you. Here we’ll discuss how to choose the right headless CMS.

How To Choose The Right Headless CMS?

1. Know The Headless Architecture-

If you’re well known about traditional CMSs, it is important to understand how they’re different from headless. Let’s see the difference in architecture-

Monolithc Vs. Microservices Architecture-

Monolith Vs. Microservices Architecture

Traditional CMSs combined content management and its presentation in a single coupled solution. They control the content presented on the website, using proprietary templating engines. They tend to add various extra marketing or commerce capabilities. The result is a big monolith where CMS plays a central role.

Headless CMS manage content and provide it through API. Meaning that, the content can be delivered to any digital channel including mobile, online store, website, chatbot etc. This is a popular approach among programmers who want to use progressive front-end frameworks and build mobile apps. Headless CMSs fit the microservices architecture perfectly and in this model, you build digital product by connecting specialized services from various vendors through APIs.

In microservices architecture, you build a digital experience stack around a digital product instead of building a product around a particular CMS. Meaning that, you don’t need to throw your digital product when you decide to switch to another CMS.

Web First And Content First Approach-

Traditional CMSs were for the web. They’re built around web-specific concepts like sitemap, website and pages. They focussed on providing high control over design to business users that may be empowering, but huge control may lead to inconsistency of brand.

Whereas, headless CMSs are designed for the content-first approach and this  starts with content modeling that helps you to define content structure so that it can be reused across various devices. It provides more flexibility and needs a change in how you think about and work with content.

2. Pinpoint Your Business Concerns-

Sorting business requirements is an important factor in choosing a Headless CMS because it is all about getting your requirements fulfilled. Here are some of the business cases and requirements to choose headless CMS-

• For implementation of modern technology for digital experience
• To get higher agility, productivity and consistency of brand
• For personalized omnichannel experience
• To increase the efficiency of content operations
• For making business future-proof

3. Identify Requirements Of Key Stakeholders-

Read More

 

Have You Switched From NPM To Yarn? NPM Vs Yarn

Node.js is best for building highly scalable data-intensive and real-time backend services that power client applications. It allows you to create dynamic web pages written in Javascript such as video streaming sites, single page apps, online chatting applications and so on. These pages are executed on the server before being sent to the browser. NPM (Node Package Manager) is very popular among javascript programmers.  But it started facing an issue with performance and security, and this makes the package manager unreliable. That’s when Yarn was born. It has been gaining popularity since its inception. What do you think? Does Yarn replace NPM? Before digging into it, let’s have a look at an overview of NPM and Yarn.

What Is NPM?

Node package manager is known as NPM. It is a default package manage in Node.js and popular among the Javascript programmers community since its inception in 2010. It automatically comes with Node.js on your system and brings three important components- command line interface, online database of enumerable packages called as npm repository and website to manage different aspects of NPM experience. Over the years, NPM has gained tremendous popularity and now has a huge community of programmers that makes it easy to find help. 

What Is Yarn?

Yarn, released by Facebook in 2016, is a popular package manager for javascript programming language. One of the main intentions to create Yarn was to address some of the security and performance shortcomings of working with npm. It provides similar functionalities as NPM. Although it has a slightly different installation process, it enables you to access same registry. So switching from NPM to Yarn is hassle-free.  

NPM Vs Yarn- The Difference

1. Installation-

NPM-

It is distributed with Node.js so when you download Node.js, automatically you will have npm installed and ready to use. Once the Node.js has been installed, use the command to ensure installation was successful- 

node -v
npm -v

Yarn-

For Yarn, you have two options.  If you want to install Yarn using npm, enter the following command-

npm install yarn --global

But, programmers advise against using npm to install Yarn. Then, a better alternative is to install Yarn using your native OS package manager. For instance, if you’re using brew on Mac, you’d enter:

brew update
brew install yarn

If you’d like to try Yarn on an existing npm project, run –

yarn

Then see your node_modules folder displayed using Yarn’s resolution algorithm.

2. Installing Project Dependencies-

Let’s see how project dependencies are installed. When you run npm install, dependencies  are installed sequentially. The output logs in the terminal are informative but a bit hard to read.

To install packages with Yarn, you run the yarn command. Yarn installs packages in parallel that is the reason for being quicker than npm. If you’re using Yarn 1, you’ll see that yarn logs of yarn output are clean, visually distinguishable and brief. Also, they’re ordered in a tree form for easy comprehension. But it is changed in version 2 and 3, where logs aren’t human readable and intuitive. 

We’ve seen that npm and Yarn have different commands to install packages.

3. Speed And Performance-

Whenever Yarn or npm need to install package, they carry out a series of tasks. In npm these tasks are executed per package and sequentially, meaning it will wait for the package to be fully installed before moving to the next. Conversely, Yarn executes these tasks in parallel and this improves the performance. 

Both managers offer caching mechanisms, Yarn seems to do it a bit better. Implementing a zero-install paradigm, it is capable of installing packages almost in zero time. It caches each package and saves it on the disk. Hence in the next installation of this package you don’t need to have an internet connection as the package is installed offline from the disk.

Though Yarn has some advantages, the speeds of npm and Yarn, in the latest version, are pretty comparable. Hence, we can’t decide the final winner.

Read More

 

How To Secure Your Custom Mobile Application?

In this decade, mobile devices have become more popular than computers. The reason is obvious, we engage with mobile devices for lots of activities. We have mobile applications for online shopping, entertainment, bank operations, communication, e-learning and so on. According to the latest survey, it has been analyzed that US people spend around 88% of their time using mobile applications. So businesses are trying to adapt mobile apps. Though features and design are important for a successful mobile app, security is also another major part. So here we came with the tips to secure custom mobile apps. BUt before digging into it, let’s see the common security risks in iOS and Android apps.

Also know- 7 Important considerations when building a mobile app

Common Security Risks In Android And iOS Apps-

There are some common risks that mobile app users can face. Here are some of those-

Injection Attacks-

Application that lacks logic or has major loopholes in code can be exposed to LDAP, SQL, NoSQL injections. Hackers can access data without authorization and then use it for misuse. So, the development team should use proper query techniques to avert the injection disaster.

Broken Authentication-

What can be worse than losing credentials or a token? And these days broken authentication is a major issue in many apps. This can only be fixed by use of MFA (multi-factor authentication).

No Data Encryption-

Encryption is the best way to protect sensitive data. Everyone knows that, some occasional users and enterprise employees don’t enable encryption on their devices. This results in hacked applications and stolen data.

Insufficient Logging-

It is important to use advanced logging tools and continuously monitor loopholes that hackers use to attack. Any data breach can be instantly noticed if technicians perform logging and baseline analysis.

Insecure Default Configuration-

Insecure default configuration are serious issue that occurs because of some small things such as open cloud storage, incomplete setup or just slip away from app creators. It is advisable to keep an eye on app configuration and check them continuously.

Security Issues In Android-

Generally android devices have less stru=ict standards than iOS devices. Developers must ensure that their applications don’t have major security loopholes that can cause huge damage. Here are some of the most common security issues in Android apps- 

1. Irregular Updates-

Every android team finds some OS vulnerabilities and releases updates to fix them. Hence developers should monitor those OS updates and never avoid security patches.

2. App Permissions-

These days app ask users for various permissions when you first download and launch an app. The permissions that user grant to an app may bring high security risks. So secure apps should ask for permission so as to avoid stealing and misuse of user data.

3. Rooting-

Android users know that they can root their devices using third-party apps, but they don’t know that rooted devices are easy to target for hackers. Hence for programmers, it is important to ensure that their android apps don’t work in a rooted mode or work with interruptions and issue warnings to users.

Read More

 

Top 15 .NET Core Libraries That You Must Know

.NET framework has always been a go-to platform to develop robust, scalable and secure apps for enterprises. Microsoft released .NET framework 19 years ago and it continues to stay a first choice for developers. Even new .NET Core is the most valuable and useful update of the framework that gives dynamic, feature-rich, robust web-based apps and mobile apps. Recently, .NET Core got new updates about features with less coding, deploying high-performance and scalable apps. All the updates were done in .Net framework libraries. Let’s see the top 15 .NET core libraries that you must know.

Top 15 .NET Core Libraries That You Must Know-

1. FluentEmail-

It is an open-source .Net library that helps to implement email functionality in .NET app within just a few minutes. This library supports Razor for prebuilt email templates and sending mails through popular email delivery services like SendGrid and MailGun via SMTP protocol. It offers more control over how mail is sent through email delivery service. Here are some of the FluentEmail packages-

• FluentEmail.SMTP – To send emails through SMTP protocol
• FluentEmail.mailgun- It is used to send emails using mailgun REST API.
• FluentEmail.SendGrid- To send emails through SendGrid REST APIs. 
• FluentEmail.Core- It is a best package to send emails through SMTP. As it is a base package, it only includes basic defaults and domain model.

2. Swashbuckle-

Swashbuckle is a .net core library to build great API documentation. It also enables to explore and test API operations with Swagger UI. Here are some of the core features of this library-

• Support for XML comments
• Automatic generation of Swagger 2.0 and seamless integration with Swagger UI.
• You get reflection-based schema generation as you describe your API types
• Support for extensibility hooks
• Support for authentication Implicit OAuth2 scheme and flow, APIKey and basic authentication

3. AutoFac-

It is an IoC container for .NET that enables to run classes and dependencies as separate components so as to easily manage when they become more scalable and complex. AutoFac has a good community and has reputation of being the popular NuGet package in .NET. AutoFac also helps to identify misconfigurations and issues in large-scale apps. Third-party container in app enhances the code readability and provides easily testable code, centralizing dependency management for classes. It helps you to scale only required component rather than scaling the entire app.

4. Xunit-

It is a free, open-source, community-focused testing tool through which you can test small independent components instead of going behind larger parts of program.It allows alignment of design goals and simplicity with the framework’s features. Installing xUnit installs the dependencies like-

• Xunit.asert- It includes assertion libraries to validate whether the condition is valid or not.
• Xunit.analyzers- Includes librariesto write unit test cases to test app for all possible conditions
• Xunit.analyzers- By installing this package provides testing team with code analyzers that help them to find and fix frequently occurring issues and bugs when writing robust test cases.

Read More

Get Motivated To Do Nothing With – Google Assistant’s “Do Nothing” Mode

 

We all know about Google Assistant. It is one of the most popular and capable virtual assistant in the tech world. Google assistant helps you to manage your smart home devices, fetch a cab and even help you shop. Now, Google in partnership with Cadbury 5 star has launched a new “Do Nothing Mode” that does just what the name suggests- Nothing. This new mode will literally motivate you to do nothing. And this mode is limited to Google Assistant devices in India only. 

How To Activate Do Noting Mode?

To activate this new mode, just say, “Ok Google, eat a 5 start”. Once it gets activated, Google assistant will neither do any work nor let you work too hard. Once this mode is activated, you can ask questions and get funny responses until the Google Assistant gives up and suggests “do nothing”. This mode becomes your that chilled out friend who is always by your side.

What Google Assistant ‘Do Nothing’ Mode Does Exactly?

“Do nothing” mode is available on smart TVs, smartwatches and tablets that runs on Android 6.0 and above versions, Google Home, Android phones running on Android 5.0 and above, iOS devices running on iOS 10 and above, Google assistant supported headphones and smart displays.

You can ask different questions to google assistant and be ready to get some funny replies. When you ask about the weather, Assistant replies “HaHa..as if you’re going to step out”. 

If you ask about the nearest salon, assistant replies “You’re in luck. Bushy eyebrows, hairy armpits and no makeup selfies are in fashion.” 

If you ask, “How do I lose weight?”, Google assistant may respond, “Bring a measuring tape and say done for further instructions.”  really funny. Isn’t it?

Ha ha ha… Have you ever thought about such answers from Google? Obviously not. But it’s super funny, right? Let’s get into some more funny questions and their replies.

When you ask ‘how do I save money?’, the Assistant replies as: “Mani is perfectly safe and happy at his house in Thanjavur, Tamil Nadu. he appreciates your concern.”

If you ask, “How’s the traffic?”, google assistant may respond, “He misses you, but he’ll get over it”. Thus, whatever you ask to this google assistant mode, Google will be of no help and will be all fun.

When you ask “How do I make bread?”, Google assistant may respond, “ You don’t, the baker does”.

If you ask for a nearest restaurant, Google assistant may respond, “It’s far enough that you’ll have to wear pants to go there, so let’s order online?

HaHaHa………..

One more..

If you ask, Egg first or chicken, Google assistant may reply, “Depends on which one you ordered first.”

Really funny……

So, did you use the do nothing mode of Google Assistant and got motivated to do nothing? If not, go and try the “Do Nothing” mode of Google assistant.

 

How To Secure NPM Packages From Getting Hacked?

In the web development world, using and sharing reusable build-blocks is a common thing. With NPM, adding new open source packages to application is simple and more accessible than ever. There are 1.5  million packages available in the npm registry and up to 90% of the code in modern apps is open source code developed by others. With such a huge number of npm packages it is obvious that hackers can attack with malicious intent. And nowadays lots of developers are claiming that npm packages are getting hacked. So here we came with some best practices for npm package security. Let’s have a look.

Top 7 Best Practices For NPM Security-

1. Use NPM Author Tokens-

When you log in with npm CLI, token is generated for your user and authenticates you to the npm registry. Token eases npm registry related actions during CI and automated procedures like accessing private modules on registry or publishing new versions from build step. Tokens can be managed via npm registry website and using npm command line client. Let’s have a look at the example of using CLI to create read-only token which is restricted to a particular IPv4 address range-

$ npm token create --read-only --cidr=192.0.2.0/24

So as to verify which tokens are generated for user or to revoke tokens for emergencies, you can use npm token list or npm token revoke resp. You must check that you are following this npm security best practices by protecting and minimizing the exposure of npm tokens.

2. Enable A Dependency Firewall To Block Packages At The Door-

Being notified is vital, however most of the time it’s far better to block the awful packages at the entryway. It is recommended to set up a code supply chain which restricts packages from being added to your private registries if they have not been scanned, are insecure or contain specific restrictive licenses.

3. Use Local NPM Proxy-

Npm registry is the largest collection of packages available for all Javascript programmers and is also the home of most Open source projects for web developers. But, sometimes you may have various requirements as far as security, deployments or performance. When it’s true, npm enables you to switch to a different registry:

When you run npm install, automatically it starts a communication with main registry to resolve all dependencies; if you want to use different registry, it also simple-

• Set npm set registry to set up default registry.
• Use argument –registry for single registry

Verdaccio registry is a simple lightweight zero-config-required and installing it is also simple with –

$ npm install --global verdaccio

Hosting own registry was never simple. Let’s have a look at most important features of this tool:

• It supports npm registry format including private package features, package access control, scope support and authenticated users in the web interface.
• It gives abilities to hook remote registries and the ability to route every dependency to various registries and caching tarballs. You should proxy all dependencies so as to reduce number of duplicate downloads and save bandwidth in local development and CI servers.
• If project is Docker based, then use of official image will be the best choice
• As an authentication provider by default, it makes use of htpasswd security, and also supports Gitlab, LDAP, Bitbucket. 
• It is easy to scale using various storage provider.

It is easy to run:

$ verdaccio --config /path/config --listen 5000

If you’re using verdaccio for a local private library, consider having a configuration for your packages to uphold publishing to the local registry and avoid accidental publishing by developers to a public registry. To accomplish this add the following to package.json:

“publishConfig”: {
  “registry”: "https://localhost:5000"
}

To publish a package, use the npm command npm publish.

4. Ignore run-scripts To Reduce Attack Surfaces-

Npm CLI works with package run-scripts. If you’ve ever run start or npm test, you’ve used package run-scripts also. Npm CLI builds on scripts which a package can declare and allows packages to define scripts to run at particular entry points during the package’s installation. For instance, some script hook entries may be postinstall scripts that a package that is being installed will execute so as to perform housekeeping tasks.

Due to this capability, bad actors may create or modify packages to perform malicious actions because of running any arbitrary command when the package is installed. A few situations where this is a popular eslint-scope incident that harvested npm tokens, and the crossenv incident, with 36 other packages that abused a typosquatting attack on the npm registry.

Apply npm security best practices so as to reduce the malicious module attack surface:

• While installing packages, ensure to add the –ignore-scripts suffix to disable the execution of any scripts by third-party packages.
• Hold-off on upgrading blindly to new version, sometimes allow new package versions to circulate before trying.
• Before you upgrade, ensure to review changelog and release notes for upgraded version.

5. Enforce The Lockfile-

Know more at- https://solaceinfotech.com/blog/how-to-secure-npm-packages-from-getting-hacked/

What’s New In Node.js 17?

Latest version of Node.js has been officially released. Node.js is now officially available to users, contributors and app developers also. It supersedes Node.js 16 in terms of the current release line of this runtime and now it got promoted to LTS or long term support channel on 26th October. Rather than being a minor update, this release brings some refinements to the runtime, including more promisified APIs, Javascript engine upgrades and OpenSSL 3.0 support. Here we’ll discuss the latest release of Node.js 17 features. Let’s get started.

Also know the amazing Node.js security best practices at- Top 10 Node.js Security Best Practices

What’s New In Node.js 17?

1. New Promise-based APIs-

Node.js promisify its core APIs as a part of its strategic initiative plan. In Node.js 17, this ongoing promisification work is extended to the readline module, mainly used to accept input from command line. New APIs are accessible through readline/promises module. Old way of using readline module in Node.js v16 and earlier involved using callback functions as-

// main.mjs
import readline from "readline";
import process from "process";

const rl = readline.createInterface({
  input: process.stdin,
  output: process.stdout,
});

rl.question(`What's your name?`, (name) => {
  console.log(`Hi ${name}!`);
  rl.close();
});

With Node.js 17, now you can use await when importing from readline/promises:

// main.mjs
import readline from "readline/promises";
import process from "process";

const rl = readline.createInterface({
  input: process.stdin,
  output: process.stdout,
});

const name = await rl.question(`What's your name?`);
console.log(`Hi ${name}!`);
rl.close();

2. Stack Traces-

Stack traces are important for node.js development companies and each common user of NodeJS runtime. It helps to detect errors affecting an app. Also it reveals the points that causes the errors. In this latest release , Node.js version will be present at the end of stack trace, especially when fatal exceptions force the process to exit. It’s helpful to have this capacity naturally because when somebody analyzes revealed errors, they’ll definitely need to discover the version of Node.JS they’re using. Node.js 17 has a command-line option that allows users and programmers to avoid extra information they don’t require. This line goes “–no-extra-info-on-fatal-exception.”

3. OpenSSL 3.0-

Now, node.js includes OpenSSL 3.0, particularly quictls/openssl, upgraded from OpenSSL 1.1.1.    OpenSSL 1.1.1 will reach the end of support on 2023-09-11, means before proposed End of life date for Node.js 18. Hence, it has been decided to include OpenSSL 3.0 in Node.js 17 to provide time for user testing and feedback before the next LTS release. Among all of the new features in OpenSSL 3.0 is the introduction of providers, of which FIPS provider that can be enabled in Node.js. OpenSSL 3.0 should be mostly compatible with those provided by OpenSSL 1.1.1, we can anticipate some ecosystem impact because of strict restrictions on the allowed algorithms and main issues.

In app with Node.js, if you hit ERR_OSSL_EVP_UNSUPPORTED error, it is somehow similar to that your app or module you’re using is using an algorithm or key size that is no longer allowed by default with OpenSSL 3.0. New command line option, –openssl-legacy-provider, has been included to revert to the legacy provider as a temporary workaround for strict restrictions..

For example-

$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'

Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

4. V8 Is Upgraded To v9.5-

Node.js came with an updated V8 engine of Javascript to V8 9.5 in Node.JS 17. If you’re working with Node.js 16, programmers can rely on V8 9.4 meaning that latest one available on the previous version of runtime. Apart from performance-related tweaks and improvements, this new version brings some extra supported types for “Intl.DisplayNames” API and Extended options for “timeZoneName” in another API which is – “Intl.DateTimeFormat”.

5. Deprecations And Removals-

Node.js 17 comes with some removals and deprecations. Important one is deprecation of trailing slash pattern mappings that is not supported in the import maps specification.