Thank you to the Open Source Security Foundation (OpenSSF) Project Alpha-Omega for support in strengthening Node.js security practices. If you want to join in help Node.js, contributions are welcome. There are multiple ways and places you can contribute: https://nodejs.org/en/get-involved/contribute If you want to jump right here, here’s information on creating a Pull Request: https://github.com/nodejs/node/blob/main/CONTRIBUTING.md

Active Outreach

We are actively out in the community, looking to connect with new community members. That means you! Rafael Gonzaga, Node.js Technical Steering Committee (TSC) Member, recently presented at NodeConf, talking about the “Journey of the Node.js Permission Model.”

Other developers have noticed, too. Jeff Delaney (FireShip), with over 2.5M subscribers on YouTube, states that “Node.js has been quietly getting better,” and mentions the Permission Model explicitly.

Presentations and Interactions with the Community

Photo Credit: Nico Kaiser, NearForm

Also at NodeConf, we held a Your First Contribution to Node.js Workshop. It ran for just 1.5 hours, but we got 6 PRs during, and 4 more after. This is an excellent response. 

If you want to connect with us directly, there’s another chance this year. Rafael will be at the Open Source Experience in Paris, France. He’s speaking on “5 Ways You Could Have Hacked Node.js,” on December 7, 10:50 am - 11:10 am, in room 153b. It’s a huge venue, with 200 speakers. Tickets are free.

Rafael’s talk summary says, “I’ll share with you 5 ways in which Node.js can be hacked, and delve into the tactics used by the Node.js team to deal with vulnerabilities. Moreover, I’ll also reveal how you can earn money by finding critical vulnerabilities in Node.js. So, whether you’re a developer, a security enthusiast, or simply curious about Node.js security, this talk is for you.”

Quick Shout Out

We’d like to send a quick thank you to Tobias Niessen, PhD student at TU Wien (Austria), Node.js Technical Steering Committee. He has been helping the Node.js security team a lot, and we benefit from his contributions.

Quick Details on Node.js Security Improvements

• Backported a V8 Patch to all the Node.js lines
• There is an open CVE, low priority: https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/151 
• Resolving relative paths may be in the next Node.js release. This was not included when the Permission Model was first released. Though not measured exactly yet, it will impact projects by improving performance: https://github.com/nodejs/node/pull/50758
• Handled problem that reports in HackerOne do not get disclosed if they do not allow disclosure. Found a work around, have a pull request to fix: https://github.com/nodejs/node/pull/50945 
• More work on security release process
• We have been making progress on automating more and more of the security release process. If you create a PR, we have be able to automate a few more processes. This is continual improvement.
• Introduced new built-in module to Node.js: node:benchmark
• At JSConf Columbia 2023, Rafael gave a talk entitled, “Lies, Damn Lies, and Benchmarks,” and intends to do more work in this area. The closed PR is here: https://github.com/nodejs/node/pull/50768 

From NodeConf 2023 

Photo Credit: Nico Kaiser, NearForm

Interested in getting involved with Node.js security? We are actively looking for new contributors! Find out more about the Node.js Security Team here: https://github.com/nodejs/security-wg