The Node.js Foundation and NodeSource are moving the Node.js platform toward greater module stability, better security, and more independence in the use of JavaScript virtual machines.

Working with IBM, Intel, Microsoft, and Mozilla, the Node.js Foundation today unveils Node.js ABI (Abstract Binary Interface) Stable Module API. This effort would define a stable module API independent from changes in V8, which has anchored Node. In addition to the API work, the Node.js build system will begin producing nightly builds of node-chakracore, which has Node running with Microsoft's ChakraCore JavaScript engine.

[ Use JavaScript in your dev shop? InfoWorld looks at 17 JavaScript editors and IDEs and 22 JavaScript frameworks ready for adoption. | Keep up with hot topics in programming with InfoWorld's Application Development newsletter. ]

The API constitutes a first step toward JavaScript virtual machine neutrality, said Arunesh Chandra, Microsoft senior program manager. "This API is going to help the native module developers to guarantee an ABI-stable API surface for Node." The ability to use JavaScript engines other than Google's V8 could expand Node's use in areas like mobile computing and the internet of things, according to the Node.js Foundation.

The ABI-stable API guarantees that changes that happen at a VM level will not require a new version of Node.js, said Dan Shaw, CTO of Node technology vendor NodeSource and a member of the foundation's board of directors. With the change, users can migrate from a given version of Node to the next version without having to recompile Node native code modules.

"Think of this as a shim in between Node and the JavaScript virtual machine and the native packages," said Gaurev Seth, principal program manager lead at Microsoft. Native modules can start targeting this middle layer and become "future-proof," he said. It will be become easier to both upgrade Node versions as well as NPM's, and developers will find it easier to migrate to newer versions of V8.

"[The API] allows Node to be highly optimized for different types of devices, scenarios, and workloads," enabling different virtual machines to be used for specific devices, Chandra said.

Also this week, the foundation will take over the Node.js Security Project, which provides a unified process for finding and disclosing security vulnerabilities in the Node ecosystem. The foundation will take over the project from Lift Security.

Addressing Node NPM module dependency issues, NodeSource is introducing NodeSource Certified Modules. The company will curate modules that are publicly available in the NPM registry, certifying them for security and dependencies. The service, currently offered in a private beta stage, addresses predicaments like the left-pad issue earlier this year, in which an NPM with 17 lines of code was removed from the registry and caused other NPMs dependent on it to fail. NodeSource Certified Modules will never get unpublished, the company vows.

NodeSource also is introducing NSolid version 2.0, an upgrade to the company's commercially supported version of Node, featuring security enhancements. These include runtime package vulnerability monitoring and customizable application security policies. Vulnerability monitoring is provided by security research firm Snyk, which can find issues such as distributed denial-of-service issues. Also featured is a guaranteed 24-hour response to security updates in the core Node project.

To improve reliability, version 2.0 features CPU profiling, heap snapshots, and async activity. The release also can be augmented with external tooling for performance monitoring and diagnostics. NSolid is available on AWS Marketplace, for one-click deployment of the NSolid runtime and console on the Amazon Web Services cloud. The platform also supports orchestration frameworks, including Kubernetes, OpenShift, and Cloud Foundry.