The NodeSource Blog

Why 2016 Was the Best Year Ever for Node.js - Node by Numbers 2016

Yes, that's right, I'm going to argue that 2016 was our best year ever, and may go down as the most important period in the history of Node.js, backed by some hard numbers from this year's Node by Numbers. But first, let me clear the air about a couple of things.

As a whole, 2015 was big for Node.js. The project was beginning to show signs of stagnation and the growing frustration from the user community was starting to boil over. However, after the tumult of the io.js fork, we managed to reunite the ecosystem under the Node.js Foundation and cross the streams of corporate and individual contributions under one codebase to deliver Node.js 4.

Our LTS schedule got serious and we've been delivering stable, secure and dependable releases under the Node.js 4 LTS "Argon" release line ever since. We've watched as these releases have become the backbone of a massive uptick in adoption, from the individual hobbyist having some fun to the high-profile enterprise migrations away from the new legacy stack.

In fact, we can partially attribute the success of Node.js to the re-categorisation of Java to "legacy". Now, any large company serious about their technology stack now has to pay attention to Node.js, and at least consider how it might fit within their environments. But 2015 was only a taste of what's in store for Node.

That said, I don't want to pretend that 2016 was all positives. For me, the biggest negative was having to say goodbye to the 0.10 release line.

After much hard work, Isaac Z. Schlueter and the core team at the time announced the release of 0.10.0 in March, 2011. In many ways, this was a pivotal release for the Node.js project and marked the beginning of a time of API refinement rather than the API experimentation and reinvention that had characterised earlier release lines.

Many of us still think of Node.js 0.10 as representing the era that Node.js grew up. It marked the point at which many companies - both small and large - began considering Node.js as more than a toy or an annoying but necessary part of their build toolchain.

What we know now as idiomatic Node.js has its roots firmly in the 0.10 era. Development, deployment, and maintenance best practices for Node.js came into their own - developers began to deeply understand and effectively communicate these best practices around this time. The increasingly serious investment in Node.js paved the way for the Node.js Foundation and many of the new companies focused on Node.js (including NodeSource, of course).

But, as they say, all good things must come to an end. Node.js 0.10 is no exception. The lack of upstream support for most of its important dependencies (most notably OpenSSL and V8) became too great a hindrance and created too many security and stability risks. Plus, the Node.js core team can only spread ourselves so thin! As I write, we are managing two LTS release lines (Argon and Boron), a Current release line in Node 7, and are preparing the groundwork for Node 8 which will eventually become our third active LTS release line.

Enough with the ancient history lesson, let me take you on a tour of Node.js in 2016 with some of the greatest highlights that made 2016 the best year ever for Node.js.

Boron

The Node.js core team is proud of its second LTS release line. In October, Node.js 6 switched from "Current" to "LTS" and adopted the codename Boron. And when I refer to the "team", I'm not talking about a small cabal. In preparation for Boron, 403 people contributed code to Node.js as it evolved from the original Node.js 4 branch. We're going to be seeing releases for Boron into 2019. Having learnt a lot of lessons about stability and security through the Node.js 4 Argon LTS period to date, you can be sure that any new release in the Boron release line will be stable and dependable for serious production use.

Argon was our practice for a transition to LTS, coming just one month after we released Node.js 4.0.0 in September 2015. Boron had a full 6 months of preparation to be released as LTS, on top of the development done on the intermediate Node.js 5 release line.

Security

Node's security procedures and processes grew up in 2016. While we still need to fully document the way we handle security matters today, but we have an established pattern and are proud of the work we do to keep Node users secure.

If you review the security announcements and releases during the year, you'll quickly pick up on the pattern.

  1. We react to a mix of sources for discovery of security vulnerabilities. OpenSSL and V8 being the two most common sources but we also receive excellently researched reports via security@nodejs.org, from security professionals and average Node users alike. The core team is also responsible for a sizable portion of vulnerability discoveries, which is not surprising given their deep familiarity with the code, and the calibre of engineers on the team.
  2. We process security reports privately and discuss and review fixes as a group. The Core Technical Committee (CTC) and a number of additional experts constitute a private team that replicates the collaborative process found on the core Node.js repository, but on a smaller scale.
  3. We publish notifications of upcoming fixes along with non-specific impact assessments. Our excellent crypto team are key to this process particularly when OpenSSL flaws are being fixed and we need to translate the expert language into something more digestible to the average Node user.
  4. We cut releases, coordinated across the active and impacted release lines, and announce, with full disclosure, what was fixed. We have take the stance that full disclosure is almost always the best choice as gives the user everything they need to make informed decisions about how any vulnerabilities may affect their applications. It's true that very often, our security releases only impact a small portion of the Node user base, but we would much rather give everyone the information they need rather than the alternative - to trigger the panic or fear that inevitably comes from a lack of information.

We're proud of the repeatability of this pattern and the fact that we've established predictability in how we handle security matters. The core team considers user trust a vital part of their job and security is a major component of that.

In late 2016, the Foundation got to announce that the Node Security Project would be moving into the foundation. This is a major step forward for ecosystem security and health. Reporting and responding to Node core and Node ecosystem vulnerabilities will now be handled under a single banner, with unified procedures and accountability.

Under the Foundation, the Node Security Project will become a common source of data on open source ecosystem vulnerabilities, allowing companies like ^lift Security, Snyk, and others, to compete at the product level rather than competing with differing data sets. The open source community will also be able to leverage this data to build innovative tools and development best-practices to level-up the state of open source security around Node.

A new Security Working Group is in the process of being formed to take on the task of formalising our policies and procedures, and mapping a path forward to integrating the Node Security Project into the Foundation. Expect to hear more encouraging news on the security front in 2017, but know that the foundation of the work to come was laid in 2016!

Node Interactive

After moving into his role as Community Manager in the Node Foundation, Mikeal Rogers decided to end his amazing run as organiser of NodeConf. For years, NodeConf has set the tone for Node-related conferences around the world, and, along with JSConf, has played a role in defining what the modern tech community conference looks like.

As part of his role in the Foundation, Mikeal has worked with the events team of the Linux Foundation to define a series of professional conferences aimed at today's average Node.js user. Node has grown up, and so has its conferences. Even though the team has been able to lean on the experience of running events for the Linux Foundation, Node Interactive is something of unique challenge. Node's highly diverse user base have created a learning experience that Mikeal and team have had to embrace.

Node Interactive North America 2016 was held in Austin, Texas. The event was the third Node Interactive to date, and was a crowning achievement for all involved in its organisation and execution. With over 700 attendees at the event to see a solid lineup of speakers, workshops and sponsors, the event has been widely celebrated amongst the Node.js community.

While those of us who had the pleasure of attending NodeConf of old may reflect on the fond memories, there's no doubt that Node Interactive has become the right conference to reflect the Node.js ecosystem of today.

Expect to hear news of Node Interactive in 2017, and be sure to drag your team along for a great learning and networking experience.

Contributors

The core team was pretty proud of its code contributor growth numbers in 2015. They showed what could be achieved under open governance and by giving away ownership of the project's future to those who become involved. But now now we can tally up the contributor metrics for 2016, we can see that the previous year was just a warm-up.

The factors responsible for this growth are many, but the primary drivers are an overt effort to decrease contributor friction, and an explicit exercise in outreach.

The entry-points for new contributors are constantly under critique, from both inside and out. As a result, we see continual improvement and tuning going into documentation, presentation, and various other forms of communication.

It's easy to miss the obvious barriers to newcomers when you have your head deep in a community, so having a steady stream of new members joining simply escalates the work in attacking that friction as they themselves have to come through it. It's also true that most, perhaps all, of the individuals that hang around the Node.js core project, enjoy the open source community. Keeping that community growing and healthy is in our own self interest, so we can continue to build relationships, learn from each other, and just generally nerd-out over a shared passion.

Record User Growth

Measuring growth in downloads from the official Node.js website is our primary mechanism for understanding user growth. It's not perfect, but it's a reliable proxy for the growth in adoption in Node.js. We began the Node.js Foundation with an relatively steady 200% year on year growth rate. It's been our benchmark for understanding what a healthy adoption curve looks like and a key way that we keep perspective on Node's place in the wider software development ecosystem.

Well, in 2016 we didn't hit our 200% benchmark, we exceeded it, with a growth rate of 220%! What's most impressive about this number is that it's built on top of slightly fewer total releases than in 2015. In 2015, we had an average of 5.92 releases a month. In 2016, we saw an average of 5.83 releases a month.

The more software releases you make, the more downloads each individual user contributes to your total count. In 2016, we increased the rate of contributons while releasing fewer times than in the previous year. It's impossible to read this any other way than the rate of adoption of Node.js is accelerating.

Along with more users comes a larger ecosystem. That ecosystem consists of community groups all the way up to large enterprises. In the middle are startups and contracting houses - companies like NodeSource and the otherayou'll find in the Node.js Foundation membership list.

These middle sector companies are the source of rapid innovation in tools and services being offered to Node.js users. NodeSource is busy fitting out the Enterprise with appropriate tooling, while ZEIT is innovating with completely new ways to deploy Node.js products, ^Lift and Snyk are busily building products and services around security concerns, and there's a growing list of contracting and consulting companies serving generic and niche needs of Node.js users.

As individuals, this growth also serves us by providing huge range of employment opportunities to work on a technology that's truly still a thrill to use.

Find out why 2016 was the best year ever for Node.js View Node by Numbers 2016

Looking Forward

Looking at the year ahead of us, we’re all truly excited to see the Node.js project continue to grow.

There’s been no signs that the project is slowing down in its growth or momentum. In fact, quite the opposite - the numbers from 2016 have shown us that Node.js has begun to gain even more momentum, even more adoption, even more community, on top of the consistent 100% gain we’ve seen, year over year, to date.