Node.js Security Progress Report – Automation, Automation and more Automation

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies. 

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: https://github.com/nodejs/security-wg/issues/828. We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project. 

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process. 

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. 

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features. 

JavaScriptLandia Awards: Pathfinder for Security 

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform. 

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency. 

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg