Node.js Security Progress Report – Threat Model and Dependency Analysis Improvements

August was a big month for improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. There was work on the Node.js Threat Model, Dependency Analysis that created new automatic notifications, and there will be Node.js Working Group presentations on these topics and more at the upcoming Collaborator Summit in early October.

Threat Model

Threat modeling is a structured approach of identifying and prioritizing potential threats to a system, and determining the value that potential mitigations would have in reducing or neutralizing those threats. – OWASP

Work on the Node.js Threat Model continues with  the goal of listing all the current threats and their mitigation for each environment using Node.js. The Threat Model document will provide context on what will or will not be considered a vulnerability in Node.js, and will serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

Dependency Analysis

A daily workflow has been created to scan Node.js dependencies and look for vulnerabilities. Whenever a vulnerability is found, an issue is created and assessed. Node.js now gets vulnerability reports about dependencies once per day as soon as vulnerabilities are identified, instead of waiting for manual reporting. 

Check out the repo for the status CVEs reported against Node.js dependencies.

Meeting Face to Face

Rafael Gonzaga from the Node.js Security Working Group will be presenting at the OpenJS Foundation Collaborator Summit, held in Dublin, Ireland, Oct 1-2, 2022. He will be presenting on what’s next for Node.js in Diagnostics and Security. Come talk about Node.js security with us!