Dear CEO (of a node-powered corporation)

First congrats! You didn’t force your developers to only use those “proven” technologies and allowed some innovation to invade your organization. You now get to join the club of companies using node. That’s pretty awesome. Node is going to significantly improve your company’s productivity, ability to hire top talent, keep your developers happy, and get back to building products, not boilerplate and abstractions.

But as with any cutting edge technology, node comes with its own risks. Node is proven but it is also very new. It is in its most critical phase of achieving mass adoption right before it is fully baked. This means complexity is at its highest level, right when the contribution payoff is at its lowest. In other words, most developers are not motivated enough or skilled enough to move it forward.

This is where you come in. But first, a quick story.

A couple of weeks ago the folks at ^Lift Security identified a flaw in v8, the JavaScript engine node is built on top. This particular flaw caused memory to leak when a certain exception was thrown, and it was an exception particularly easy to reproduce. In other words, it made it pretty easy to take down an entire site built on node if it wasn’t setup with sufficient capacity and restart automation.

The good news was that this security hole was quickly identified, corrected, and a patch released. The bad news is that the patched version introduced a new bug. This is par for the course in software development. Shit happens.

The patched version came out on a Thursday. Most companies grabbed it on Friday. On Saturday morning, when I upgraded my own development environment I discovered that this new version breaks a feature in hapi, our enterprise-grade open source node framework. The specifics of the bug are somewhat “amusing” – it caused timeouts set with milliseconds fractions to basically get the entire node event loop stuck. Now, why would anyone set a timeout using a floating point number? Well, that was another, very old bug in hapi that never mattered before.

What makes this bugs combination even more “amusing” is that it was in the code responsible for keeping server load under control. With these two bugs, servers would stop working altogether under load instead of handling it. Slightly different from the intended outcome.

So – Saturday morning, major security bug announced, companies upgrading their environments, and our framework cannot work on the new, safer version.

Under past circumstances, we would have contacted the core team via an issue and IRC, and waited for them to find the time to identify and fix the bug. And usually that would work well. The problem is, I am among those responsible for the development of a system that’s becoming more and more critical to the bottom line of a gigantic operation. Sounds familiar? This is an unacceptable risk.

But this story has a happy ending! Within an hour of me identifying the issue, Chris Dickinson – our in-house node core contributor – was able to identify the root cause, and together we released a patched version of hapi with a workaround. This is the kind of SLA an operation like Walmart requires.

Back to you.

Node is ready, today, for taking on the most critical components of your business. But like any cutting edge technology, it comes with risks. These risks can be easily mitigated by making sure your have the right team and right resources available to you. Access to a node core contributor is absolutely essential. This is not a luxury.

Let me make it absolutely clear: if you use node for any serious business (and I will leave it up to you to define what “serious” means), you are being irresponsible to your company and shareholders if you do not secure the appropriate access to node core resources under an SLA.

There are a few ways to gain such access.

The best of course (but also the one with the biggest commitment and probably highest price tag) is to hire a full time developer to work exclusively on node core. But like any business decision, this has to be justified and will likely only make sense at a price point that’s as expensive (or cheaper) than paying someone else for the same SLA.

If you are not quite there yet, consider contracting a part time consultant or hire a company with such resources under an SLA that fits your needs. It is pretty easy to find such providers. Joyent provides this service as part of their SmartDataCenter product (as well as some limited support for Linux). NodeSource is a new company (made out of some of the most experienced node developers) offering a comprehensive solution. There are a few more, just ask around.

This is not only smart business, it is also the right thing to do. It provides crucial support to a technology you directly benefit from. It is the easiest way for you to pay back and support the community. It will also earn your company plenty of good karma points, which you will find handy when it’s time to hire the best talent.

Not sure how to go about this? eran@hammer.io