July was a busy month for improving Node.js security, with reinforcements from the Open Source Security Foundation (OpenSSF) grant to OpenJS! There was the first pull request for the Permission System, a Node.js Security Release, and a new OpenSSL Security Release which meant updates to Node.js v18, v16, and v14, and triaging and fixing HackerOne reports (5 total).
Node.js is building a security Permission System to avoid third-party libraries accessing machine resources without user consent. The Permission System got its first pull request in July! The pull request is 1,200 lines and includes the foundation of the Permission Model. There has been good feedback from the community, and the pull request has been shared publicly. This is the starting point; plenty of review and discussion is expected.
It is best practice to have a revert flag for security updates that can include breaking changes. This is for installations that need a temporary work around. For v16 and v14, we had implemented the fixes without the revert flag (–openssl-shared-config) but are working for it to be available in the next Node.js release.
Node.js tracks OpenSSL releases closely. The document Maintaining OpenSSL shows how we check requirements, extract new OpenSSL sources, and commit them.
Triaging and Fixing
Node.js analyzes and solves reports on HackerOne. The team triages Node.js issues and fixes security vulnerabilities. HackerOne access is required. For security reasons, reports are not disclosed until getting a CVE designation.
Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar and find issues for meetings in this repo: nodejs/security-wg.
Both speakers gave an overview and walk the audience through the associated specification to give a deeper insight into the language and its constructs. Both share foundational skills required to read and understand the spec, translate spec to code, and more!
In April this year, the OpenJS Foundation announced the Open Source Security Foundation (OpenSSF) had selected Node.js as their initial project to help improve supply chain security. As part of OpenSSF’s Alpha-Omega Project, $300k was committed to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022. The focus is on supporting better open source security standards and practices. The Alpha-Omega repo for Node.js is here.
Since the announcement, OpenJS has quickly onboarded new OpenSSF security support resources who hit the ground running. Better plans and processes have already started to be built out and are already having an impact.
For example, security processes are being improved through a Security Model that is being discussed in the Security Working Group. The structure has been defined and they are currently working to document assumptions from the Node.js runtime.
The community is creating a new Threat Model that provides context on what will and will not be considered a vulnerability in Node.js, which will particularly help inform security researchers. It includes all the current threats and their mitigation for each environment using Node.js. Note: This may change over releases.
The community also added vulnerability checking for Node.js dependencies. This is a new script that queries vulnerability databases in order to find if any of Node.js’ dependencies are vulnerable. It runs as part of the continuous integration workflow, and if any new vulnerabilities are found, it automatically opens an issue tagging Node.js’ maintainers and Security Working Group members.
Day-to-day security is run through the triage team who look at HackerOne reports to fix issues and handles the ongoing OpenSSL reports and updates. The turnaround time on fixes has been tightened from about one week to under two days.
The Security Working Group, which has a broader mandate to look at the future of Node.js security, has been reactivated, meeting every two weeks.
Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar.
In this recap from the OpenJS World Keynote Series, we’re highlighting a keynote on open source security.To view all of the keynotes from the conference, please visit the OpenJS YouTube Channel.
Brian Behlendorf, General Manager for the Open Source Security Foundation (OpenSSF), presented at OpenJS World 2022 on Securing the Open Source Ecosystem. The presentation began with Brian explaining the problem of supply chain breaches and other factors that are affected by these vulnerabilities. He then follows with what OpenSSF is doing to make efforts in order to work across the supply chain and prevent these types of threats.
The presentation then covers an overview of the mobilization plan. Brian mentions this was planned after a meeting with a U.S federal agency to strengthen security and open source. There is also a quick run-through of the ten different mobilization plans including their goals from security education, risk assessment, incident response, SBOMS, and others.
In the first recap of our OpenJS World Keynote Series, we’ll highlight the opening remarks from OpenJS World 2022.To view all of the keynotes from the conference, please visit the OpenJS YouTube Channel.
In this recorded keynote, Robin Ginn, executive director of the OpenJS Foundation, and Chris Gervang, Senior Software Engineer, Visualization at Joby Aviation, give the opening remarks at the OpenJS World 2022, held in Austin, TX, June 6-10, 2022. Robin started the keynote by welcoming the audience to take a step back and take a look at their previous work. Robin emphasized the importance of looking back to make an impact without losing perspective. Robin shares a personal experience touching on some historical background and difficulties encountered in the open source community. She then proceeded to emphasize the importance of lifting each other up in communities.
We hope everyone enjoyed the conference whether you attended virtually or in person with us in Austin! For those who did not attend the event, we have the conference keynotes and sessions available on our YouTube channel for you to watch back.
In security, Open Source Security Foundation (OpenSSF) selected Node.js as its initial project to improve supply chain security. Node.js is the first open source community to be supported by OpenSSF’s Alpha-Omega Project. Alpha-Omega committed $300k to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022, with a focus on supporting better open source security standards and practices.
Day One kicked off with Robin Ginn, OpenJS Foundation Executive Director welcoming everyone. She was joined by Chris Gervang, Senior Visualization Engineer at Joby Aviation to announce that OpenJS was adding UCF to its foundation family through the new OpenJS Open Visualization Collaboration Space. UCF has for years been a forum for developers to collaborate on a common set of open source tools connecting cities, people, and mobility.
Dr. Felienne Hermans, Leiden Institute of Advanced Computer Science – Hedy: Creating a Gradual Programming Language
Jeff Cross, Co-Founder & Principal Architect, Nrwl – Why Monorepos
Joe Sepi, Program Director of Open Tech, IBM – Embracing Open Source to Beat the Great Reshuffle
Lee Byron, Design Technologist, GraphQL – We’re Gunna Program Like it’s 1999
Additionally, we featured more than 40 breakout sessions across a variety of topics from AI to application development and project-specific talks. All of these are available on demand.
OpenJS World News
We showcased several announcements at the conference that reinforce our community’s goals in testing, security and visualization. See below, as well as on our Day 1 blog for more details.
OpenJS Foundation Welcomes Urban Computing Foundation
The OpenJS Foundation announced that the Urban Computing Foundation (UCF) has partnered with OpenJS to form the Open Visualization Collaboration Space. The Open Visualization Collaboration Space provides a place to openly govern the most comprehensive and widely adopted visualization libraries based on WebGL. UCF is also merging its day-to-day operations and budgets into OpenJS where it will govern these projects and more under the new OpenJS Open Visualization Collaboration Space. Two of its most popular visualization projects – vis.gl and kepler.gl – are moving under the umbrella of the OpenJS Foundation.
Foursquare, HERE Technologies, Joby Aviation and Uber join The OpenJS Foundation
OpenJS has welcomed four UCF members who are now members of the OpenJS Foundation: Foursquare, HERE Technologies, Joby Aviation, and Uber. Open visualization technologies are core to each of these companies’ leadership positions in the market, and by supporting the foundation, they are supporting the infrastructure and long-term growth of key open source projects that they rely on.
Bethany Griggs – Unsung Hero
Matteo Collina – Leading By Example
Darshan Sen – Outstanding Contribution from a New Arrival
Tzviya Siegman – Pathfinder Award for Standards
Liran Tal – Pathfinder Award for Security
Wes Bos – Pathfinder Award for Education
Jest Joins the OpenJS Foundation as an Impact Project
We’d also like to share a big thank you to this year’s sponsors who made this event possible. Thanks to Diamond Sponsor IBM and jFrog, Platinum Sponsor Nearform, Gold Sponsor Influx Data, Silver Sponsors Bloomberg, Hasura, MariaDB and Red Hat, Bronze Sponsor Stellate, and Diversity Scholarship Sponsor nStudio.
There were 6 awards available: Unsung Hero, Leading By Example, Outstanding Contribution from a New Arrival, and the Pathfinder Awards, one for Standards, one for Education, and one for Security.
Unsung Hero nominees are recognized for their willingness to do things that aren’t high profile, glamorous, or even fun, but are important for a well-functioning project and community. Unsung Heroes often do this work with a smile, even if they aren’t being recognized regularly for their contributions.
Leading by Example nominees are known for demonstrating leadership qualities in their communities that reflect OpenJS Foundation values, like being humble, helpful and hopeful. Exemplary leaders embody open source in spirit and in practice, and inspire others to do the same.
Outstanding Contribution from a New Arrival nominees are new participants in our project spaces who are making a big difference – from contributing new ideas, new leadership on a project workstream, helping with project operations, to community building and more. These individuals are rising stars who help bring fresh energy to our projects.
Bethany Griggs – Unsung Hero – “Beth has always been a mighty force for node.js behind the scenes. She puts in tremendous work for the project on the release team, but that work often goes unrecognized. In addition to her service to the project, Beth volunteers on other openjs committees and makes herself available to help the foundation in a variety of ways, from the marketing committee, to the programming committee, to supporting people in the foundation slack and more. Beth is truly a hero, and it’s time to sing her praises!”
Matteo Collina – Leading By Example – “Matteo is a steady leader in both the Node and the Fastify communities. He’s a strong technical leader but he also helps people grow, mentoring them and supporting new contributors. Matteo always tackles problems head on and in a collaborative way. He’s passionate about his work, and it’s absolutely inspiring and infectious!”
Darshan Sen – Outstanding Contribution from a New Arrival – “I’ve seen Darshan contribute across a number areas within the Node.js project. With his first commit having landed in the Node.js repo just over a year ago, he is now a significant contributor and a member of the Technical Steering Committee. He interacts in a respectful and impactful way and jumps into discussions to express his opinions and help move them forward. As a relatively new arrival he’s ramped up quickly and contributes across a broad range of topics. I think he’s a great example of coming to the project, talking with people, asking for help/info when needed and then making significant contributions.”
Tzviya Siegman – Pathfinder Award for Standards – “Tzviya edits and works on epub specifications, as well as ARIA specifications, at the W3C. She has served on the W3C’s advisory board for some time, and she works hard to improve the experience of new standards community participants through the Positive Work Environment WG. She was instrumental in getting the W3C to update their code of conduct in 2019.”
Liran Tal – Pathfinder Award for Security – “Liran is a tireless advocate for security in the JS ecosystem. He works hard to build bridges, educate developers about security issues, and support Open Source projects working to improve their security posture. Liran has served on the Node security team and is always available to support developers!”
Wes Bos – Pathfinder Award for Education – “Wes is responsible for teaching hundreds of developers how to write React, Node, CSS, tweak their VSCode setups, upgrade their dev environment and so much more. He’s also one of the nicest people in the broader js community, which makes learning from him feel that much better.”
Testing, Security and Visualization are major themes of OpenJS World, currently being held in Austin, TX, June 6-10
The OpenJS Foundation is announcing that the Urban Computing Foundation (UCF) has partnered with OpenJS to form the Open Visualization Collaboration Space. The Open Visualization Collaboration Space provides a place to openly govern the most comprehensive and widely adopted visualization libraries based on WebGL. UCF is also merging its day-to-day operations and budgets into OpenJS where it will govern these projects and more under the new OpenJS Open Visualization Collaboration Space. Two of its most popular visualization projects – vis.gl and kepler.gl – are moving under the umbrella of the OpenJS Foundation.
Vis.gl is a suite of frameworks for GPU powered data visualization and analysis of large datasets on the web. It is one of the most widely adopted WebGL visualization libraries, with close to 100K daily downloads from npm. kepler.gl is a data-agnostic, high-performance web-based application for visual exploration of large-scale geolocation data sets. The kepler.gl demo app has 30k weekly users.
Historically UCF was a home for Mapzen and related projects. In recent years it became a host for the WebGL geospatial visualization projects Kepler.gl and Vis.gl, including multiple Vis.gl sub-projects.
OpenJS also welcomes four UCF members who are now members of the OpenJS Foundation: Foursquare, HERE Technologies, Joby Aviation, and Uber. Open visualization technologies are core to each of these companies’ leadership positions in the market, and by supporting the foundation, they are supporting the infrastructure and long-term growth of key open source projects that they rely on.
The offerings of vis.gl are packaged and best represented by its flagship framework, deck.gl. It has been integrated with most popular base map providers such as Mapbox, Google Maps and ArcGIS; bindings to use with React, Python/Jupyter, R, Vega and CUDA; libraries that tackle 3D geometry editing (nebula.gl), animation (hubble.gl), autonomous vehicles (AVS), multiplexed bioimaging (Viv), etc. Companies including Google, ESRI, CARTO, Foursquare and Cesium have contributed for the project to work with their libraries or data formats.
“The vis.gl projects are under active development and use, and have great potential for being used widely. We wanted to be connected to an organization like the OpenJS Foundation to support activities that help build growth and popularity. We were already well aligned with the OpenJS Foundation goals, and I believe this is an excellent path forward for both the developers and users of vis.gl and kepler.gl,” said Chris Gervang, Joby Aviation senior visualization engineer. “We look forward to these next steps.”
kepler.gl is one of the most powerful open source browser-based geospatial analysis visualization tools. The kepler.gl demo app is open to all and has 30k weekly users. It is especially well known in geospatial analytics and visualization fields. It has been integrated with Jupyter Notebooks, Jupyter Labs, VSCode, Tableau, and Apache Superset. Users include Unfolded (acquired by Foursquare), Uber, and Carto. And there are many more companies in the mobility space that are using kepler.gl internally for geospatial analysis.
More from OpenJS World 2022 and the OpenJS Foundation: Testing and Security
Together, they hope to reduce the risk and set ambitious security goals for all OpenJS projects. They intend to further define, document, communicate, and measure in an open and transparent way.
More specifically, the CPC security goals include:
Strengthening the security and sustainability of the OpenJS projects to improve the software supply chain.
Increasing security contributions (time, people and resources) from public and private organizations, and security communities.
Click here to learn more about how you could be a part of the OpenJS Foundation, and view these additional resources:
About Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1000 members and is the world’s leading home for collaboration on open source software, open standards, and open hardware. Linux Foundation projects like Linux, Kubernetes, Node.js, and more are considered critical to developing the world’s most important infrastructure. Its development methodology leverages established best practices and addresses the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit their website.