This guide aims to demonstrate how to diagnose bottlenecks in your node application using node-inspector and Google Chrome.
I’ve put together a very basic express app that calls off to a fake service which adds a delay of ~1 second (depending on your machine) to the response from the server. The code can be cloned from github:-
By default, node inspector will pause execution of the application at the very first line of code.
Allow code execution to continue by pressing F8 or clicking the resume execution button.
Recording the CPU Profile
Step 1. Profiles tab
So the method that’s taking a lot of time to execute is appropriately named cpuIntensiveProcess.
Clicking on the block with the name “service” will directly take you through to the source code whilst inside node inspector.
In our sample application we can now refactor the cpuIntensiveProcess method out to be more performant, or in this example just delete it entirely because it’s not doing anything useful.
It is relatively pain free to troubleshoot performance problems in our application. Node-inspector is just one of a suite of tools available to help us monitor, report and diagnose performance problems.
In our production environment, we use newrelic to alert if there is ever a significant degradation in time-to-first-byte performance, as well as capturing server and client side errors giving better insights into how our applications behave in the real world.
It’s always a good idea to keep on top of your security updates because if you’re not looking at it, someone else probably will.
Acting on a recent denial of service vulnerability security alert from Node.js, I was tasked with upgrading our production servers to the latest Node.js version to fix the security alert. This was pretty straight forward upgrade only involving changing a version number in a config file then rerunning the build / production pipelines in teamcity to pull in the latest Node.js.
Following on from this I wanted to check if our applications themselves contained any security vulnerabilities, the only problem is that in just one project we have at least 30 top level package dependencies defined in our package.json and each referenced package references other packages and so on. Reviewing these packages by hand would take hours and is highly error prone to missing known vulnerabilities.
Thankfully there’s a tool to do all the hard work for you by scanning your node package.json and npm-shrinkwrap.json files for vulnerabilities.
nsp from nodesecurity.io audits your node application dependencies against its database of known security vulnerabilities.
To install globally:-
Then inside your project directory, where package.json is located, run this:-
Here’s a sample of the vulnerabilities found in just one of our production apps (security vulnerabilities now fixed!).
After upgrading all the affected packages and rerunning nsp check, I now get no security alerts reported:-
Take this further by incorporating nsp into your build processes using gulp to help stay on top of security.