Node.js Security Progress Report – Active Outreach to a Growing Node.js Security Community
Check out what we've been up to in this edition of our Node.js Security Progress Report.
Thank you to the Open Source Security Foundation (OpenSSF) Project Alpha-Omega for support in strengthening Node.js security practices. If you want to join in help Node.js, contributions are welcome. There are multiple ways and places you can contribute: https://nodejs.org/en/get-involved/contribute If you want to jump right here, here’s information on creating a Pull Request: https://github.com/nodejs/node/blob/main/CONTRIBUTING.md
Active Outreach
We are actively out in the community, looking to connect with new community members. That means you! Rafael Gonzaga, Node.js Technical Steering Committee (TSC) Member, recently presented at NodeConf, talking about the “Journey of the Node.js Permission Model.”
Other developers have noticed, too. Jeff Delaney (FireShip), with over 2.5M subscribers on YouTube, states that “Node.js has been quietly getting better,” and mentions the Permission Model explicitly.
Presentations and Interactions with the Community
Photo Credit: Nico Kaiser, NearForm
Also at NodeConf, we held a Your First Contribution to Node.js Workshop. It ran for just 1.5 hours, but we got 6 PRs during, and 4 more after. This is an excellent response.
If you want to connect with us directly, there’s another chance this year. Rafael will be at the Open Source Experience in Paris, France. He’s speaking on “5 Ways You Could Have Hacked Node.js,” on December 7, 10:50 am - 11:10 am, in room 153b. It’s a huge venue, with 200 speakers. Tickets are free.
Rafael’s talk summary says, “I’ll share with you 5 ways in which Node.js can be hacked, and delve into the tactics used by the Node.js team to deal with vulnerabilities. Moreover, I’ll also reveal how you can earn money by finding critical vulnerabilities in Node.js. So, whether you’re a developer, a security enthusiast, or simply curious about Node.js security, this talk is for you.”
Quick Shout Out
We’d like to send a quick thank you to Tobias Niessen, PhD student at TU Wien (Austria), Node.js Technical Steering Committee. He has been helping the Node.js security team a lot, and we benefit from his contributions.
Quick Details on Node.js Security Improvements
- Backported a V8 Patch to all the Node.js lines
- There is an open CVE, low priority: https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/151
- Resolving relative paths may be in the next Node.js release. This was not included when the Permission Model was first released. Though not measured exactly yet, it will impact projects by improving performance: https://github.com/nodejs/node/pull/50758
- Handled problem that reports in HackerOne do not get disclosed if they do not allow disclosure. Found a work around, have a pull request to fix: https://github.com/nodejs/node/pull/50945
- More work on security release process
- We have been making progress on automating more and more of the security release process. If you create a PR, we have be able to automate a few more processes. This is continual improvement.
- Introduced new built-in module to Node.js: node:benchmark
- At JSConf Columbia 2023, Rafael gave a talk entitled, “Lies, Damn Lies, and Benchmarks,” and intends to do more work in this area. The closed PR is here: https://github.com/nodejs/node/pull/50768
From NodeConf 2023
Photo Credit: Nico Kaiser, NearForm
Interested in getting involved with Node.js security? We are actively looking for new contributors! Find out more about the Node.js Security Team here: https://github.com/nodejs/security-wg