It’s becoming very clear that Node.js is here to stay. Adoption continues to grow, and large software companies are investing in its future. We constantly hear from Node.js developers who have switched their IDEs to VSCode. We have also seen cloud services, such as AWS Lambda, support Node.js natively in their Function-as-a-Service (FaaS) offering.
With this growth comes an increased focus on security risk and vulnerabilities in Node.js software. Enterprises are waking up to the fact that Node.js applications need to be secure for real-world, production deployments to accelerate. The 2018 Node.js User Survey addresses several important security topics, as well as the main drivers of Node.js adoption.
1. Node.js increases developer productivity
Respondents said the #1 business impact of Node.js is developer productivity. A close second was developer satisfaction. What are the drivers? Here are some observations that stand out:
- Survey respondents described Node.js as “fast”, “easy”, “awesome”, and “powerful”.
- Node.js has a rich ecosystem of modules that help accelerate time-to-market for new projects.
- A majority of Node.js developers work for smaller firms (<100 people). This demographic may suggest many startups leverage Node.js to compete against bigger, more established companies.
2. Lack of Node.js security best practices
This need is a big opportunity for the Node.js community. When you do a Google search for Node.js security vulnerabilities, you find pages -- but can you trust them? Often times, the answer is buried in a forum thread among developers. More needs to be done here. Otherwise, Node.js growth may slow in enterprise segments where security is critical.
3. <1% of Node.js developers “focus” on security
This takeaway isn’t much of a surprise, given the leading focus areas for developers are “back-end” and “full stack development”. What does it mean to “focus on security”? It’s possible developers do not have good options for testing their application code. While more needs to be investigated here, the trend is clear - security needs to catch up in terms of educational content and top-of-mind awareness.
4. Most Node.js developers rely on LTS (long term support)
55% of the survey respondents said they rely on the LTS release line. This reliance makes sense, considering enterprises want stable Node.js deployments. However, smaller companies and new developers tend to pull the latest version - perhaps it’s because there is higher risk tolerance among startups, or maybe new developers aren’t sure what version to pick? Regardless, 61% of respondents think it’s important for LTS to exist. Given this response rate, we can expect increased visibility into support timeframes and schedules as Node.js matures.
5. Yarn is gaining ground on npm
npm is still the most widely used package manager with 60% adoption. Yarn has only 13% adoption, but it seems to be growing. What’s driving this increase? First and foremost, Yarn offers a flat dependency structure - as opposed to npm’s nested structure, which provides more sensibility around downloading/installing dependencies from package repos. Secondly, Yarn allows you to work offline, which is critically important for sandbox development environments that do not have access to the internet.
Want a demo of Veracode Interactive Analysis?
Veracode Interactive Analysis (IAST) helps teams instantly discover vulnerabilities in their applications at runtime by embedding security into their development processes and integrating directly into their CI/CD pipelines. Get a demo.