Check out what we've been up to in this edition of our Node.js Security Progress Report.

Check out what we've been up to in this edition of our Node.js Security Progress Report.

October was busy due to the latest security release affecting Node.js 18 and Node.js 20. Usually, we lock in the Continuous Integration (CI) cycle at least 5 days before a release. This time, however, due to the recent changes to the CITGM (Canary In The Gold Mine: a simple tool for pulling down an arbitrary module from npm and testing it using a specific version of the node runtime) and changes to the automation of the security release proposal, it was just 3 days.

The release of Node.js 21 is available now! Node.js 21 replaces Node.js 20 as our current release line, and Node.js 20 is being promoted to long-term support (LTS). 

Read our progress report on Node.js security in the month of August.

In July, we continued our regular work triaging and fixing Node.js security issues

In July, we continued our regular work triaging and fixing Node.js security issues. We also welcomed a new contributor to the Node.js Security Working Group team, and increased the number of security releases, which improves security by making updates available more quickly. We have also continued to evaluate the Permission Model including adding a startup benchmark, adding support for V8 HeapSnapshot and Node.js reports, and cut down the number of steps it takes to create a security release.

In June, we saw all of our Node.js security metrics trending in the right direction.

Last month, we reported that the first response time in April was down to 18 hours.

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies.

We continue to see more participation and momentum from the Node.js community.

Node.js 20 includes new Node.js experimental permission model for improved security

February included several major steps forward in improving Node.js security.

January was busy with HackerOne reports, vulnerability fixes for OpenSSL and Node.js and security updates due to the upcoming Node.js security release.

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be.

This month, we launched the Node.js Security Best Practices and the Node.js Threat Model – both are already getting good visibility and feedback.

A low-coding development platform fit for the enterprise, started by the Node-RED co-founder, now a part of the OpenJS Foundation

October saw steady improvements to Node.js security in multiple areas, assisted by the Open Source Security Foundation (OpenSSF) grant to the OpenJS Foundation.

The release of Node.js 19 is now available! Node.js 19 replaces Node.js 18 as our current release line, with Node.js 18 being promoted to long-term support (LTS) next week.

There was good progress in September aimed at improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS.

August was a big month for improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS.

July was a busy month for improving Node.js security, with reinforcements from the Open Source Security Foundation (OpenSSF) grant to OpenJS!

Dave Clements is an open source advocate and is the tech lead and primary author of OpenJS Foundation Node.js training and certification programs.

Node.js 18 is available now!

Today, we’re excited to announce that Node.js is the first open source community to be supported by OpenSSF’s Alpha-Omega Project.

OpenJS Foundation had previously been granted free, perpetual license to use Node.js trademarks and logo for the past 6 years

Bethany Griggs, Node.js Technical Steering Committee member, and Senior Software Engineer at Red Hat, describes in detail how new and experimental features are added to the Node.js project.

This blog was written by Bethany Griggs, with additional contributions from the Node.js Technical Steering Committee and project collaborators.

This blog was originally authored by Tierney Cyren and posted on the nodejs.org blog on October 7, 2021.

Today, the OpenJS Foundation is launching a new scholarship fund to increase access to the OpenJS and Linux Foundation Training (LiFT) Node.js training and certification and help expand diversity in technology.