14 DAY TRIAL // Node.js 4.0.0 was released two days ago, and as with any major branch of any software, it comes with a lot of breaking changes.
Because for many years Node was stuck in version 0.x and never considered to be stable enough for a 1.x release, its community forked the code and created io.js.
This secondary project saw a lot of work while away from the Node.js core, reaching in its final separate release version 3.x (3.3.0 actually).
Now that the two projects have agreed to merge their code back together with the release of Node.js 4.0.0, the Node community is facing a steep jump of new features, most of which are either unique or totally different from what they've seen in the older 0.12.x version.
Security-wise, there are two changes that will affect your regular Node.js project coding routine.
First off, Node developers reached the same conclusion that some browsers makers and the IETF's engineers have reached.
"RC4 is now considered insecure and has been removed from the list of default ciphers for TLS servers," Node developers say. "Use the ciphers option when starting a new TLS server to supply an alternative list."
The second major breaking change relates to SSL (Secure Sockets Layer), and starting with Node 4, both SSLv2 and SSLv3 have been disabled at compile time.
SSLv2 was disabled because it was deprecated and "known broken for nearly twenty years now," while SSLv3 was disabled because it was susceptible to downgrade attacks.