Skip to main content
Category

Blog

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed: https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh.

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!

Thank you! DigitalOcean Supports OpenJS Foundation with Open Source Credits

By Blog

Thank you to our friends at DigitalOcean for supporting the OpenJS Foundation with their hosting services! DigitalOcean supports developer and entrepreneurial communities, and they have been supporting OpenJS-hosted projects jQuery and Node.js by granting monthly credits to expand the reach of these critical open source projects. 

“DigitalOcean has consistently shown a level of support for open source that goes above and beyond,” said Robin Ginn, Executive Director, OpenJS Foundation. “We depend on DigitalOcean for some key parts of our infrastructure that allow us to support and promote the JavaScript ecosystem. It makes a difference, and it is very much appreciated.”

“As a way to support open source projects that incorporate values that we believe in and advocate for, DigitalOcean is happy to offer these grants of credits to help with development, infrastructure, and testing needs. We strongly believe in giving back to valued open source ecosystems like the OpenJS Foundation,” said Megan Wood, Chief Strategy Officer at DigitalOcean. “We are focused on helping communities scale and continue to make open source ecosystems stronger than ever, we are very proud to support.”

From all of us at the OpenJS Foundation, we look forward to continuing to build the JavaScript ecosystem together!

Get Node.js Certified with the Newest Version!

By Blog, Certification, Node.js

The OpenJS Node.js certification exams have been updated with new content today to reflect the latest current, long-term support (LTS) version of Node.js 18. The certification is ideal for the upper-intermediate Node.js developers looking to establish their credibility and value in their career.

To sign up now to take the certification exams, see https://openjsf.org/certification/ 

The Node Application Developer testing content broadly covers competence with Node.js to create applications of any kind, with a focus on knowledge of Node.js core API’s while the Node Services Developer testing content covers creating and connecting HTTP services and along with web security practices. Many participants have talked about how the classes have helped both their confidence and their resume.

The exams have been updated based on an evaluation of all recent additions to Node.js core APIs, the evolution of the Node.js ecosystem, and continual tracking of industry standards. As a result, candidates will see a few exam questions have been either removed or added within relevant topic areas without increasing exam duration.

To help prepare for the Node.js Certification exams, the Linux Foundation offers training courses for both the Applications and Services exams. The training courses were authored by David Mark Clements, a principal architect, public speaker, author of the Node Cookbook, and open source creator specializing in Node.js and browser JavaScript, currently working with Holepunch on keet.io.

These exams are evergreen and soon after Node.js updates its LTS version line, the certifications are updated to stay in lockstep with that LTS version. 

To see what’s new in Node.js 18, see “Node.js 18 Released With Improved Security, Fetch API, and Next-10 Strategic Initiatives” 

The OpenJS Node.js Certification program was developed over time with community input, and launched two years ago in partnership with NearForm and NodeSource. 

Discounts from 10% – 50% are available for all the OpenJS Node.js training and certifications for members of the OpenJS Foundation and supporters of its JavaScriptLandia program. Corporate subscriptions are also available for full access to the Linux Foundation Training and Certification programs. 

Sign up now for training or certification exams! https://openjsf.org/certification/

OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web

By Announcement, Blog, jQuery, jQuery Security

By: Robin Ginn, Executive Director, OpenJS Foundation and Brian Behlendorf, General Manager, OpenSSF

Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.

This is the second funded project coming from the OpenSSF to the OpenJS Foundation, the neutral home for JavaScript and the web. Earlier this year OpenSSF selected Node.js as its initial project, committing $300,000 to focus on improving supply chain security. 

OpenJS, working with the jQuery maintainers and industry experts, will undertake three core initiatives under this grant: an ecosystem risk audit, an expansion of its infrastructure modernization project, and a web modernization campaign.

“There’s a lot of work to be done to help secure the consumer web,” said Michael Scovetta, Alpha-Omega co-lead and Principal Security PM Manager at Microsoft. “We believe partnering with the vendor-neutral OpenJS Foundation is a great way to communicate out broadly to developers and to work with technology partners to reduce potential security incidents for jQuery. This is a wide ranging effort that is by no means simple.” 

jQuery Core is still actively maintained, and the maintainers have taken steps to consolidate and modernize its infrastructure with support from the OpenJS Foundation including migrating and improving its CDN. jQuery is still used by 77% of the world’s top 10 million websites, but one-third of those sites are still using 15-year-old legacy jQuery 1.x when they should be using a much more current version.

As part of its modernization initiative, OpenJS Foundation has also helped jQuery with two projects under the jQuery umbrella through a careful transition: jQuery UI and jQuery Mobile. However, there is much work to be done to fully understand and mitigate potential risks.  

“The use of ubiquitous technologies like jQuery is invisible to most, however potential problems could affect millions of websites. And, there’s no one-size-fits-all solution. This is exactly the type of project that the OpenSSF is looking to support, and we are excited to be working on our second project with the OpenJS Foundation, helping to advance open source security for all,” said Michael Winser, Alpha-Omega co-lead and Group Product Manager for Software Supply Chain Security and CI/CD at Google. “We are pleased to be committing to this project with the OpenJS Foundation and jQuery.”

The OpenJS Foundation  and OpenSSF are looking forward to working closely together to help developers around the globe improve their open source security readiness!


If you’re interested in finding out how you can help, please contact the OpenJS Foundation via https://openjsf.org/collaboration/.