Description
We know, we know, "Don't block the event loop"
Node.js event loop follows the event-driven architecture, with a single-threaded Event Loop supported by a small Worker Pool for expensive operations like FS and DNS.
Though "Don't block the event loop" is a good rule of thumb, developers new to the EDA could easily expose themselves to this and other Denial of Service vulnerabilities if they don't think carefully about the implications of the limited supply of threads. For example, REDOS is a very real threat but a bit of a surprise as a way to block the event loop.
There are of course a lot of blog posts describing this issue in varying levels of formality and detail, but I think the community would benefit from a guide put out by a central authority -- like nodejs.org!
Also don't block the threadpool
Since libuv's threadpool is tiny (default 4 threads, max 128), cavalierly offloading hugely expensive work to the threadpool is also not a good idea. Continuing with the REDOS example, unfortunately, this is done by some of the "safe" regex modules.
More on this if you're interested
I've discussed this a bit in an academic workshop paper (link), but since then I've done a larger survey of the npm vulnerabilities reported by Snyk.io and believe that the Node community would benefit from a public guide to this problem.
PR
I'm happy to prepare this guide and submit a PR if there's interest. However, I can only prepare this document in English.