Node.JS Tools

1. NPM – The Node Package Manager

When discussing Node.js, one thing that definitely should not be omitted is built-in support for package management using the NPM tool that comes by default with every Node.js installation. The idea of NPM modules is a set of publicly available, reusable components, available through easy installation via an online repository, with version and dependency management.

Some of the most popular NPM modules today are:

  • express – Express.js, a Sinatra-inspired web development framework for Node.js, and the de-facto standard for the majority of Node.js applications out there today.
  • connect – Connect is an extensible HTTP server framework for Node.js, providing a collection of high performance “plugins” known as middleware; serves as a base foundation for Express.
  • and sockjs – Server-side component of the two most common websockets components out there today.
  • Jade – One of the popular templating engines, inspired by HAML, a default in Express.js.
  • mongo and mongojs – MongoDB wrappers to provide the API for MongoDB object databases in Node.js.

NPM usage:

The best way to manage locally installed npm packages is to create a package.json file.

A package.json file allows you to:

  • documentat what packages your project depends on
  • it allows you to specify the versions of a package that your project can use using semantic versioning rules
  • makes your build reproducible which means that its way easier to share with other developers.

To specify the packages your project depends on, you need to list the packages you’d like to use in your package.json file. There are 2 types of packages you can list:

  • "dependencies": these packages are required by your application in production
  • "devDependencies": these packages are only needed for development and testing

The above package.json specify that the app uses any version of the package my_dep that matches major version 1 in production, and requires any version of the package my_test_framework that matches major version 3, but only for development.

2. Nodemon

This is a tool to manage node processes during development. With nodemon you can start a node process and it keeps it running for. It utilizes fsevents to hook into filesystem changes and it restarts the node process on each file change.

You can install it using npm using the following command. I like to install it globally so I can use it for all projects, but you can remove the -g to install it locally instead.

Now instead of using node server.js  to run your application, you can use nodemon server.js. It will watch for any changes in your application and automatically restart your server for you.

3. Node inspector

Node Inspector is a debugger interface for Node.js applications that uses the Blink Developer Tools. The really cool thing is that it works almost exactly as the Chrome Developer Tools.

You should be a flavour of Chrome browser (Chrome, Chromium, etc) installed.

Once it is installed, you can run it using the following command. This will start the debugger and open your browser.

Can you combine nodemon with node inspector ? You would start your server with nodemon --debug server.js and then you’ll need to run node-inspector in a separate terminal window unless you push nodemon to the background.

4.  Helmet

Can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.

Helmet is actually just a collection of nine smaller middleware functions that set security-related HTTP headers:

  • csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
  • hidePoweredBy removes the X-Powered-By header.
  • hpkp Adds Public Key Pinning headers to prevent man-in-the-middle attacks with forged certificates.
  • hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
  • ieNoOpen sets X-Download-Options for IE8+.
  • noCache sets Cache-Control and Pragma headers to disable client-side caching.
  • noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
  • frameguard sets the X-Frame-Options header to provide clickjacking protection.
  • xssFilter sets X-XSS-Protection to enable the Cross-site scripting (XSS) filter in most recent web browsers.

5. Express-limiter

Implement rate-limiting to prevent brute-force attacks against authentication.

6. Cluster Service

Turn your single process code into a fault-resilient, multi-process service with built-in REST & CLI support. Restart or hot upgrade your web servers with zero downtime or impact to clients.