February included several major steps forward in improving Node.js security.
Node.js Security Progress Report – Permission Model Merged
February included several major steps forward in improving Node.js security. We merged the Permission Model which we built over the past 8 months. This will make Node.js more secure by allowing the user to restrict machine resources, such as file system. More information will be provided on Node.js v19.9.0 release. We also merged the security support role, fixed and triaged issues and engaged with multiple working groups. Which means more resources and more clear processes for making Node.js secure.
As always, thank you to OpenSSF and Project Alpha Omega for their continued support.
The Permission Model was merged into the main branch. There was over 8 months of work leading up to this point. This final month leading up to the merge required a lot of time and effort and discussion. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. https://github.com/nodejs/security-wg/issues/898
The Security Support Role 2023 was also merged last month. There are 6 focus areas that show the goals of this work.
More details can be found here: https://github.com/ossf/alpha-omega/blob/main/alpha/engagements/2023/node.js/security-support-role.md
We’ve improved the Node.js database to now automatically update. When there is a new CVE or vulnerability, the database will be updated and anyone has access to that information.
We participated directly with working groups, 9 sessions total. There was excellent attendance for the February Security Working Group meeting. This month, Microsoft joined us and expressed interest in helping with policy around Single Executable Applications.