Node.js Security Progress Report – Collab Summit Highlights Increased Focus On Security for Node.js

There was good progress in September aimed at improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. The grant helped the team cover an extra 4 reports from HackerOne, helped with 3 security releases, and made important new changes to security processes. And, we attended the OpenJS Collab Summit and got more feedback directly from Node.js members.

6 Fixed Vulnerabilities and 1 Security Release

There were 2 Security Working Group and 2 Release Working Group meetings in September. Based on 4 CVEs from HackerOne, there were 4 releases of Node in the past month, and much of the focus of our security work was here. There were also 3 security releases of Node.js in the following release lines:

Node.js v18.9.1 

Node.js v16.17.1 (LTS)

Node.js v14.20.1 (LTS)

Improving Security Processes

The Node.js team proposed and implemented 2 major changes in the mechanism for fixing CVEs. Since it’s possible that patches can create a new vulnerability, we looked for ways to better communicate back to the original reporter to close the loop. The first change is that we share a diff back to the reporter. This is a visual confirmation of the process. A second change whenever a security report is fixed, the binary will be built and sent to the reporter. We fix a problem, compile it locally, test it, create a binary, and send it (when applicable) to the original reporter through the HackerOne thread. 

OpenJS Collab Summit (Oct 1-2, 2022, Dublin, Ireland)

The Collaborators Summit brings maintainers and contributors together to discuss Node.js. Committees and working groups come together twice per year to make important decisions. In Dublin, there was lots of engagement, and we were able to hear some concerns about including security more explicitly in planning for the future. We were very pleased with the interactions.

Pictures from Collab Summit, thanks to Tony Gorez