Node.js 18 released with prefix-only core modules, experimental fetch API, and more

The Node.js team has released version 18 of its server-side JavaScript runtime environment. This being an even-numbered release, it will be promoted to long-term support in October, whereupon it will be supported until April 2025.

Node.js includes an official fetch API, though it is currently flagged as experimental. The idea is to provide a native implementation of the familiar fetch API used in the browser for asynchronous retrieval of resources across the network, though there are inevitable differences since Node.js is not a browser environnemnt. It is based on an existing project called node-fetch. According to the team, “the API will remain experimental until more test coverage is added and the contributors have verified that the API implements as much of the specification as is feasible.”

There is also a new test runner module, again experimental, which generates results in TAP (Test Anything Protocol) format, a standard format. Tests can be synchronous or asynchronous, and the output can be interpreted by any TAP-compatible test harness. The test runner is intended to be minimalist rather than comprehensive.

Writing tests for Test runner

The main author of the Test runner, Colin Ihrig (who earlier this month joined the team at Node rival Deno) said that another new feature in Node.js 18, prefix-only core modules, is “a potentially more significant change.” The idea is to make it clear when code is importing a core Node module as opposed to some other module. This also makes it easier for the team to add new core modules without the risk of naming conflict. The Test runner is the first prefix-only module, which means that it can only be loaded with the prefix, as ‘node:test’. If the developer tries to import or require just ‘test’, Node.js will look for a non-core module of that name.

Ihrig notes that this does increase the risk from “typosquatting attacks”, which exploit the possibility of developers making spelling errors that import malicious modules instead of what was intended. This potential risk is now extended to those who forget to type the prefix, similar to the attack last month on coders who forgot to type the @azure scope when installing modules for use with Microsoft’s cloud platform.

What is the Node.js project doing for developers who prefer to use strong types as in TypeScript? “Types for end users have been identified as a technical priority for the project,” Michael Dawson, Node.js lead for Red Hat and IBM and OpenJS Community Board Director, told DevClass. “The currently agreed approach is to help external projects generate/maintain the types.” Dawson accordingly said that he welcomed the “improved user experience when using Types with Node.js and ES modules,” which was included in the beta of TypeScript 4.7 earlier this month.