Node.js Security Progress Report: Redefining Security Processes and Key Initiatives

Read about the accomplishments for Node.js security for May!

Security for Node.js has continued to be a top priority for the OpenJS Foundation and the team has been progressing on the ease and function of security processes. 

Updates this month:

  • Fixed and triaged 34 reports
  • Two security releases in April were coordinated via MITRE
  • 2024 Node.js security initiatives 
  • Improved security workflows
  • --experimental-policy has been removed
  • Updates to Node.js Permission Model

Read more below for details on the past month’s progress. The Open Source Security Foundation (OpenSSF) Project Alpha-Omega support has been critical in helping strengthen Node.js security practices – thank you!

Fixing and triaging security issues

34 reports were processed over March, April and May. We’re excited to share that the nodejs-cve-checker has been added to the Node.js organization. This is a simple tool that validates CVEs that were published to NVD after a Node.js Security Release.

Security releases

Two major releases were coordinated in April, one for HTTP/2 & HTTP/1.1 fixes and the other for fixing Windows BadBatBug. The team coordinated these releases via MITRE with success. Check them at

Security initiatives redefined

Over the past few months, the team has been working on redefining a new set of security initiatives to work on for the remainder of 2024 and beyond. In addition to the below, the team also hopes to include prioritizing SBOMs in the future.

  • Automate Security release process
  • Node.js maintainers threat model
  • Audit build process for dependencies

Additionally, Microsoft joined Node.js Security Team meeting to discuss a replacement to --policy-integrity and compromising on supporting an eventual feature.

Improved security workflows

The Permission Model has continued to gain traction and now includes support for `--allow-wasi` and  `process.chdir`.  There were other notable changes as well, including a breaking change for throwing async errors for async APIs.

This phase of the Permission Model is now complete per the Node.js Security Team.

The team has also redesigned processes to make the security release more streamlined – including updates to `node-core-utils`.

Get involved

Interested in getting involved with Node.js security? We are actively looking for new contributors! 

Find out more about the Node.js Security Team here:

If you want to join Node.js, there are multiple ways and places you can contribute. Please see here for more details: We also have a Slack channel for Node.js first contribution guidance – join `#nodejs-mentoring` if you are interested.