The most interesting part (to me) is that the server will handle e.g. "PUN" as though it actually said "PUT". I wonder if this could be used as an attack vector?
Sounds a lot like a "confused deputy" situation: imagine that your L7 firewall has a rule to reject any PUT request, but it sees PUN and thus allows the request to pass through to node.js, which then treats it as though it were actually PUT.
It is now 0.10.xxx ... and before that it was 0.9 ; probably when it becomes 0.99, it will go to 0.100 and so on ... I highly recommend to anyone to avoid using Node in production until its developers grow up, and become responsible for a stable API, and not change their minds every 2 months.
Do you have any links that point to "the developers changing their minds every 2 months"? How have you been affected? As a node user for 2 years, my view is that the API has been fairly stable of late.
The mailing list just had a long post by Isaacs about how 0.10 is the last release before 1.0 and that 1.0 should be backward compatible with anything you write for 0.10.
Sounds a lot like a "confused deputy" situation: imagine that your L7 firewall has a rule to reject any PUT request, but it sees PUN and thus allows the request to pass through to node.js, which then treats it as though it were actually PUT.