Jun 4 2014
Jan 21 2014
Jan 2 2014


When recently writing an intel-syslog library, I noticed that somehow, npm was lacking a sane syslog library. The popular one, node-syslog, is a giant singleton, meaning it’s impossible to have more than one instance available. That felt wrong. Plus, it’s a native module, and for something so simple, I’d rather not have to compile anything.

That’s where syslogger comes in. It’s pure JavaScript, and has a simple API to allow you to create as many instances as you’d like.

var SysLogger = require('syslogger');
var logger = new SysLogger({
  name: 'myApp',
  facility: 'user',
  address: '127.0.01',
  port: 514

logger.log(severity, message);
// or
logger.notice(message); //etc



intel 0.4

I released v0.4 of intel last month, but never got around to writing up what’s new.


I started out all this logging business claiming we should console.log() all the things. intel can easily handle any libaries using console.log. However, I started to see how frustrating it could be for libraries to be spilling logs all over stdout without being asked. dbug is a utility for libraries to provide logging, but to be quiet by default.

intel v0.4 includes the ability to play nice with dbug (and debug). You can call intel.console({ debug: someStr }) to turn on dbug in libraries matching your string. Due to how debug works, by checking an environment variable right when it is required, you’ll need to run intel.console() before requiring any library that uses debug.


As with every release, things get faster. According to meaningless benchmarks, we’re now ~2x faster than winston. Whatever that means.


Not part of the actual release, but released at the same time, is an intel-syslog library. This provides a simple syslog handler that you can easily use in your app.


  handlers: {
    'syslog': {
      'class': 'intel-syslog',
      'address': '',
      'facility': 'user' //etc...

  loggers: {
    'myapp': {
      'handlers': ['syslog']


I’ve created a wiki page to contain handlers such as intel-syslog that work with intel. If you create or find a library for intel, please add it to the list so we all can be happier logging things.

Dec 16 2013
Dec 11 2013
Nov 8 2013


It’s dangerous on the internet, use some security headers. No, really. If you’re making a webapp, you need some of them lovely headers. Headers such as CSP, HSTS, X-Frame-Options. I previously implemented these in our Gmail Bridge, and then needed them again in another app. Copy over the headers code? Nonsense! That’s what libraries are for.



You can use hood without any configuration, and it will use sane defaults that most apps will want to enforce security-wise. You can also pass options to hood(options) to configure parts to be different than default, or you can use each header individually, such as hood.csp().

Included middlewares:

  • csp
  • hsts
  • xframe
  • nosniff

Why didn’t I just use Helmet?

  • helmet doesn’t by default use the Content-Security-Policy header for it’s csp middleware, which is now the standard.
  • I only expected to setup the middleware once, so needing to do pre-setup for helmet.csp by adding and configuring policies felt wrong. hood.csp just accepts policy options, so you can use it once and be done.


Cover your head, v0.1.1.

Nov 5 2013

client-sessions v0.4.0

We released v0.4.0 of client-sessions today, despite all the npm bumpiness. Here’s the changelog:

  • add activeDuration with default to 5 minutes
  • add checking for native Proxy before using node-proxy
  • add cookie.ephemeral option, default false
  • add constant-time check
  • adds self-aware check. wont override req.session if already exists
  • fix wrong handled of utf8 replacement character
  • fix http expiry of cookie to match duration
  • fix updating cookie expiry whenever duration/createdAt changes
Oct 25 2013

dbug v0.1

I’ve been on a logging spree recently, and after having spent some time on an application logging module, I’ve been thinking about what libraries can do about logging. At first I said that libraries should just dump everything into console.log, but I can definitely see downsides to that.


debug is a popular utility that handles this problem of libraries wanting logging without annoying consumers quite well. You can use debug, name a logger, and log messages all you want. Unless a consumer adds en ENV variable to listen to those debug messages, it will be all quiet.


dbug works largely the same, with a few tweaks that I feel are really helpful, but I don’t think I’d have been able to convince TJ to include them in debug.

First of all, it’s a perfectly safe drop-in replacement for debug. It has the same API.

However, it adds a few familiar methods that you’d find on the console object, so you can classify the severity of particular dbug messages. Some may simply be info messages, while others are meant to signify when an error or warn has occurred. Still though, only if the consumer has opted-in to see your messages by setting process.env.DEBUG.

The log level will be included in the log message, so everyone can see the severity.

Additionally, the DEBUG matching is slightly more lenient. You can still use * and comma separated names, but additionally, specifying a name now implies any of it’s children.

DEBUG=foo will match foo:bar. Basically, every name is also the same as name:*.


0.1 is available now.

A few things I’ve been toying with adding to additional versions:

  • DEBUG=foo.warn to only get warn or greater message from the foo logger.
  • Allowing . to be a separate in log names also: dbug('').

And, currently next up is getting intel to play nice with debug/dbug.

Page 1 of 5