Node.js

Node.js Security Progress Report – Active Outreach to a Growing Node.js Security Community


Check out what we've been up to in this edition of our Node.js Security Progress Report.

Thank you to the Open Source Security Foundation (OpenSSF) Project Alpha-Omega for support in strengthening Node.js security practices. If you want to join in help Node.js, contributions are welcome. There are multiple ways and places you can contribute: https://nodejs.org/en/get-involved/contribute If you want to jump right here, here’s information on creating a Pull Request: https://github.com/nodejs/node/blob/main/CONTRIBUTING.md

Active Outreach

We are actively out in the community, looking to connect with new community members. That means you! Rafael Gonzaga, Node.js Technical Steering Committee (TSC) Member, recently presented at NodeConf, talking about the “Journey of the Node.js Permission Model.”

Other developers have noticed, too. Jeff Delaney (FireShip), with over 2.5M subscribers on YouTube, states that “Node.js has been quietly getting better,” and mentions the Permission Model explicitly.

Presentations and Interactions with the Community

Image from NodeConf Session

Photo Credit: Nico Kaiser, NearForm

Also at NodeConf, we held a Your First Contribution to Node.js Workshop. It ran for just 1.5 hours, but we got 6 PRs during, and 4 more after. This is an excellent response. 

If you want to connect with us directly, there’s another chance this year. Rafael will be at the Open Source Experience in Paris, France. He’s speaking on “5 Ways You Could Have Hacked Node.js,” on December 7, 10:50 am - 11:10 am, in room 153b. It’s a huge venue, with 200 speakers. Tickets are free.

Rafael’s talk summary says, “I’ll share with you 5 ways in which Node.js can be hacked, and delve into the tactics used by the Node.js team to deal with vulnerabilities. Moreover, I’ll also reveal how you can earn money by finding critical vulnerabilities in Node.js. So, whether you’re a developer, a security enthusiast, or simply curious about Node.js security, this talk is for you.”

Quick Shout Out

We’d like to send a quick thank you to Tobias Niessen, PhD student at TU Wien (Austria), Node.js Technical Steering Committee. He has been helping the Node.js security team a lot, and we benefit from his contributions.

Quick Details on Node.js Security Improvements

From NodeConf 2023 

Photo Credit: Nico Kaiser, NearForm

Interested in getting involved with Node.js security? We are actively looking for new contributors! Find out more about the Node.js Security Team here: https://github.com/nodejs/security-wg