Node.js Security Progress Report –  More Community Participation Leads to Security Sustainability Progress 

We continue to see more participation and momentum from the Node.js community. This is critical to our success. With more security systems in place and more outside participation, we are making progress toward Node.js security sustainability. 

In March, Varun Sharma and Ashish Kurmi from StepSecurity joined the Node.js Security Working Group to help with the OSSF Scorecard initiative. StepSecurity focuses on supply chain security, and this is a great addition to the group. Also in March, Rafael Gonzaga, Node.js TSC, presented on Node.js security in Florence, Italy. He covered “5 ways you could have hacked Node.js,” which focused on how you can get involved in Node.js security. In fact, two attendees from the event made their first Pull Requests on the Node.js project. 

This is exactly what we want. Node.js security is open to anyone who wants to help. 

As always, thank you to OpenSSF and Project Alpha Omega for their continued support.

Permission Model in Node.js 20

Last month we merged the Node.js Permission Model into main, but we found some vulnerabilities. The Permission Model has been built steadily over the past 9 months and is becoming an important mechanism for better security. 

We are now using the Permission Model starting with the Node.js 20 release, released on April 18, 2023.

The Permission Model allows restriction of access to specific resources during the program execution. The API exists behind a flag –experimental-permission which, when enabled, restricts access to all available permissions. The ability to access the filesystem, spawn process, and create worker_threads can be restricted.

We have also created a Permission Model roadmap issue to establish a comprehensive roadmap for the Permission Model. To find out more, see info on the first pull request last August and the recent merge into main. We encourage you to participate!

Automating Dependencies

Starting in November 2022, the Security Working Group took a look at all dependencies in Node.js. They wanted to see if updates are automated or not, and if not, to identify which ones should be prioritized. For example, OpenSSL had docs on how to update it, but no GitHub Action. This work has continued and most Node.js dependencies are now automated! Currently, that’s 18 out of 21 dependencies total. https://github.com/nodejs/security-wg/issues/828 

Security Ecosystem

We are working to encourage ecosystem adoption, a key component to Node.js security. In March, we worked with the Fastify project, reviewing and addressing 3 reports:

• CVE-2023-29019 (@fastify/passport)
• CVE-2023-29020 (@fastify/passport)
• CVE-2023-27495 (@fastify/csrf-protection)

We expect this type of work with ecosystem partners will become more and more common moving forward.

Feedback on is-my-node-vulnerable

How do you know if your version of Node.js is vulnerable or not? We created a package called is-my-node-vulnerable to make it easy to test your specific implementation of Node.js. It helps ensure the security of your Node.js installation by checking for known vulnerabilities. It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found. 

We have seen good adoption, with people at various events letting us know that they are using it. We are looking for more feedback – please try it with your own system, and let us know if it is useful for you!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg.