This month's security progress report featured new security releases for Node.js, updates to the permission model, progress on automation of security releases and talks in the community.
Security for Node.js - designated as a top priority by the OpenJS Foundation and funded for the past 2 years by the Open Source Security Foundation (OpenSSF) Project Alpha-Omega - has continued to progress in 2024.
So far this year, the team has accomplished:
Read more below for details. Additionally, we would like to thank Project Alpha-Omega, whose support has been critical in helping strengthen Node.js security practices.
The hard work of delivering security releases is a key part of the work supported by the OpenSSF funding. There were two recent security releases with fixed disclosure dates based on collaboration across projects through the Vulnerability Information and Coordination Environment (VINCE). These two releases were delivered to coincide with the fixed disclosure date so that updated versions of Node.js were available when the vulnerabilities went public.
The Node.js Permission Model continues to improve including fixing compatibility with Electron, improvements to buffer, resolve, and a new flag --allow-addons. Native addons are restricted by default, but it’s now possible to add the --allow-addons flag.
The Permission Model also now accepts relative paths through the CLI. For example: --experimental-permission --allow-fs-read=./index.js. This is based on requests from the community.
Searches for "permission model" are high and are an indication of interest, including a UK government organization actively considering implementing the Permission Model. Permission Model roadmap information is available here.
In January, the team added the inclusion of fs.watch permission. The fs watcher in Node.js is a module that allows you to monitor changes in the file system. It watches a given directory or file and emits events when changes occur when a file is created, updated, or deleted. This allows you to automate processes related to changes in the file system, like reloading a web page when someone edits a file. The fs module in Node.js provides several methods to implement a watcher. Two of the methods are fs.watch() and fs.watchFile().
The project has a goal to fully automate its 29 step release process. Currently, Node.js has automations in place to start a security release - from creating an issue that lets everyone know it's starting to creating a blog post announcing the release. However, you have to open an issue, it still requires doing many steps manually, and creating proposals for each active release line. We’re likely to use metadata - reports, affected versions, CVEs - to automate upcoming security releases. The team continues to make progress on this front.
We have also created a new design for security releases, more details to come!
Our community has been active at many events already over the past 6 months! Catch up on their talks below.
Interested in getting involved with Node.js security? We are actively looking for new contributors!
Find out more about the Node.js Security Team here: https://github.com/nodejs/security-wg.
If you want to join Node.js, there are multiple ways and places you can contribute. Please see here for more details: https://nodejs.org/en/get-involved/contribute.