This month, we launched the Node.js Security Best Practices and the Node.js Threat Model – both are already getting good visibility and feedback.
One of the topics discussed this month was how to treat vulnerabilities reported against experimental features. While no final agreement was reached, for a trial period the project will work to treat them the same as for non-experimental features before possibly re-evaluating later next year. You can check out the GitHub issue here.
Thanks, as always, for the assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to the OpenJS Foundation.
5 HackerOne Reports
2 reports closed as non-applicable, 2 triaged, and 1 closed as resolved.
zlib Vulnerability Fix
The zlib vulnerability fix is now available! It was initially patched in the zlib security release of Oct 13, 2022, and now it’s been fixed. To be clear, this issue does not affect Node.js.
OpenSSL 3.0.7 was released on Nov 1st and fixed the regression caused by 3.0.6. The patch was included in Node.js Security Release available at:
Security and Regular Releases
In November, security releases for Node.js 19, Node.js 18 and Node.js 16 were released. Regular releases came out for Node.js 19 (two) and Node.js 14 (one).
Improving Security Processes
The Threat Model makes it more clear what needs to be reported. However, despite the drop in false positives, it’s still too early to draw conclusions. We will monitor this moving forward and plan to iterate as we get feedback and experience applying it to reports. We would like to share the Threat Model more broadly so that researchers can have a better understanding of what we consider a threat as well as getting their feedback.
Year in Review
We’ve been working hard, and we are proud of what was completed in 2022! Here’s a partial list:
- Node.js Security Working Group reactivated with growing participation. Feel free to join!
- Managing more security issues at faster rate with improved processes
- Creating a new Threat Model that provides context on what will and will not be considered a vulnerability in Node.js, which will particularly help inform security researchers
- Adding vulnerability checking for Node.js dependencies
- Building a security Permission Model to avoid third-party libraries accessing machine resources without user consent
- Tracking OpenSSL releases closely, documented in:
- “Maintaining OpenSSL” for Node.js documentation showing how Node.js checks requirements, extracts new OpenSSL sources, and commits them
- In-person Node.js Collab Summit security breakout
- First Node.js Security Best Practices document published
- Efforts to automate dependency updates
Looking forward to 2023
What is next? Where are we going in 2023? The Node.js Security Working Group is currently brainstorming to define the next initiatives for this coming year. We would like your participation! All ideas are being reviewed in Security Working Groups sessions. Please see here: https://github.com/nodejs/security-wg/issues/846
Thank you to all of our contributors and collaborators for all of the effort made on improving security processes this year!