In August, half of the month was focused on the Security Release that went out August 9, 2023. Security releases require both pre- and post-release work. Publishing CVEs, checking CI passes, closing reports from HackerOne, making sure the next group of reports is new, not already closed. 

We have added new faces recently, but we’re looking for more! We will be presenting at the Open Source Day part of Grace Hopper Celebration (GHC 23), on September 22, 2023. GHC 23 is the world’s largest gathering of women and non-binary technologists. If you’re planning on attending, we’d like to meet.

This work on Node.js security is thanks to the Open Source Security Foundation (OpenSSF) and the Project Alpha Omega. Thank you for the on-going support. You can read more details about our partnership here: Security Support Role 2023.

Fix and Triage Security Issues

Overall we closed 14 reports in August, compared to 8 in July. And our average first response time was 5 hours, compared to 53 in July. That’s a great improvement, however, as we’ve stated before, all reports are not created equal. In July, there were reports that required specific expertise on specific platforms. But in August, the majority of reports were just targeting Node.js. So the average response time improves (drops) significantly.

Seven reports were closed as "Resolved" since they were included in the Security Release. One report was closed as N/A (non-applicable). Five reports were closed as "Informative" and 2 of those 5 required an update in the Node.js documentation. One report was closed as "Spam." This happens with reports that include lots of detailed information but it is unrelated and not useful. 

Support for Security Releases

Node.js patched a security release on August 9, 2023. OpenSSL patches were included. Here’s the Security release announcement: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases As stated above, this was the focus of the OpenSSF funding sponsorship for the first half of the month. Security releases included active lines v16, v18, and v20.

Note: If you’re still using v16, you need to update. v16 is End of Life (EOL). Check if you are using an EOL version with: `npx is-my-node-vulnerable`.

Node.js Security WG Initiatives

If you are interested in seeing our 2023 Security Initiatives, including our Current Initiatives, Current Team Members, Node.js Bug Bounty Program, and more, see: https://github.com/nodejs/security-wg#current-initiatives

A breaking change arrised in Node.js 20.7.0. We allow paths with "," for allow-fs-* flags, which was a first PR from a new contributor (Thank you, Carlos!), and we are still In Progress for completing the Gold Level CII-Best-Practices from OpenSSF Best Practices. But we’re getting closer!

And, we officially changed our name from Security WG to Security Team.

Improving Security Processes

Documentation is one of the most difficult things to do in an open source project. Describing flows and processes clearly and accurately is not simple. There were 8 total “doc:” pull requests, showing effort and progress in improving security processes for Node.js.

Also, a new repo node-stats was created by @RafaelGSS as an attempt to share insights on the Node.js project. For example, how many security releases did the project  shipped over the past year? (The answer is 17.)

• https://github.com/RafaelGSS/nodejs-stats/blob/main/releases/sec-releases.csv

The module is-my-node-vulnerable maintained by @RafaelGSS was also updated according to the last security release.

Interested in getting involved with Node.js security? The new Permission Model is still experimental, which makes it the right time for you to try it. We are actively looking for new contributors. And, we’re super friendly! 🙂

Find out more about the Security Team here: https://github.com/nodejs/security-wg