Node.js

Node.js Security Progress Report: Double the Outcomes with Half the Churn


Read about the accomplishments for Node.js security for August, including automation of security releases and discussing updates for the permission model and experimental features.

Since our last update, the team has been working on automation of security releases and discussing updates for the permission model and experimental features. Additionally, the OpenSSF Scorecard Action migrated to the OpenSSF repository. Support from the Open Source Security Foundation (OpenSSF)’s associate project Alpha-Omega has been critical in helping strengthen Node.js security practices – thank you!

Latest updates

  • Process automation has allowed the project to handle more security releases. As an example it was possible to release double the number of security releases in the recent period.
  • Experimental Network Imports (--experimental-network-imports) has been removed from Node.js.
  • Experimental Policy (--experimental-policy) has been removed from Node.js.
  • The security support role has been updated for 2024.

Read below for a deeper dive into these updates.

Automation is Enhancing Security 

Over the past two months, there was one security release, and two releases sponsored by OpenSSF Alpha Omega for Node.js (Node.js 22.5.0 and Node.js 22.3.0). The security release focused on the bypass incomplete fix of CVE-2024-27980 and the bypass network import restriction via data URL. Further information can be found at https://nodejs.org/en/blog/vulnerability/july-2024-security-releases.

We have changed the security release process to be automated. In the past 4 months there were 3 security releases, and before working with Alpha Omega, there used to be 5 per year! The processes that we’ve put in place are working, making it easier for our community to get the latest security updates. 

HackerOne Reports + Permission Model Updates

From June-July there were 20 vulnerability reports submitted, and 10 were closed as non-applicable. This is cut in half from the previous report for April-May where there were 35 reports and nearly 20 were also non-applicable.

There were also three new updates for the permission model, including:

Involving Node.js Next 10 in Security Work

We are currently re-evaluating Node.js experimental features in collaboration with the Node.js Next 10 group. This initiative arose due to the discontinuation of support for experimental features that have remained inactive for an extended period.

Get Involved

Our team will be at multiple events this fall! Robin Ginn, Executive Director of the OpenJS Foundation and Rafael Gonzaga will be speaking on OpenJS and Node.js topics at both CityJS Medellín and NodeConf EU.

Interested in getting involved with Node.js security? We are actively looking for new contributors! Find out more about the Node.js Security Team here: https://github.com/nodejs/security-wg

If you want to join Node.js, there are multiple ways and places you can contribute. Please see here for more details: https://nodejs.org/en/get-involved/contribute. We also have a Slack channel for Node.js first contribution guidance – join `#nodejs-mentoring` if you are interested.