Skip to main content
Category

Node.js

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed: https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh.

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!

Get Node.js Certified with the Newest Version!

By Blog, Certification, Node.js

The OpenJS Node.js certification exams have been updated with new content today to reflect the latest current, long-term support (LTS) version of Node.js 18. The certification is ideal for the upper-intermediate Node.js developers looking to establish their credibility and value in their career.

To sign up now to take the certification exams, see https://openjsf.org/certification/ 

The Node Application Developer testing content broadly covers competence with Node.js to create applications of any kind, with a focus on knowledge of Node.js core API’s while the Node Services Developer testing content covers creating and connecting HTTP services and along with web security practices. Many participants have talked about how the classes have helped both their confidence and their resume.

The exams have been updated based on an evaluation of all recent additions to Node.js core APIs, the evolution of the Node.js ecosystem, and continual tracking of industry standards. As a result, candidates will see a few exam questions have been either removed or added within relevant topic areas without increasing exam duration.

To help prepare for the Node.js Certification exams, the Linux Foundation offers training courses for both the Applications and Services exams. The training courses were authored by David Mark Clements, a principal architect, public speaker, author of the Node Cookbook, and open source creator specializing in Node.js and browser JavaScript, currently working with Holepunch on keet.io.

These exams are evergreen and soon after Node.js updates its LTS version line, the certifications are updated to stay in lockstep with that LTS version. 

To see what’s new in Node.js 18, see “Node.js 18 Released With Improved Security, Fetch API, and Next-10 Strategic Initiatives” 

The OpenJS Node.js Certification program was developed over time with community input, and launched two years ago in partnership with NearForm and NodeSource. 

Discounts from 10% – 50% are available for all the OpenJS Node.js training and certifications for members of the OpenJS Foundation and supporters of its JavaScriptLandia program. Corporate subscriptions are also available for full access to the Linux Foundation Training and Certification programs. 

Sign up now for training or certification exams! https://openjsf.org/certification/

Node.js 19 is now available!

By Announcement, Blog, Node.js

The release of Node.js 19 is now available! Node.js 19 replaces Node.js 18 as our current release line, with Node.js 18 being promoted to long-term support (LTS) next week.

What do these two releases mean? Node.js 19 is ready for early feature testing, and Node.js 18 LTS will be fully ready for production deployments starting next week, October 25.

Rafael Gonzaga from Nearform and Ruy Adorno from Google have been working as the release leads for this version.

“With over 1,150 commits since the last release, Node.js continues to improve along a broad spectrum of functionality. Improvements in connectivity, performance and throughput are important parts of Node.js 19. We’ve been working hard on making Node.js more secure and performant, and I believe we are getting better and better. If you’re in active deployment, Node.js 18 LTS is for you. If you’re interested in getting access to features early, Node.js 19 is ready,” said Rafael Gonzaga, Node.js Core Member. “Many thanks to our open source contributors for making Node.js better and better.”

What’s exciting about Node.js 19 is that you can expect new releases approximately every two weeks, always keeping you up to date with the latest features and changes. Since this is an odd-numbered release line, Node.js 19 will not be promoted to LTS. You can read more about our release policy at https://github.com/nodejs/release.

The increased frequency of Node.js releases means that cool features are now being added over time, yet Node.js 19 includes several updates.

“Node.js releases are fundamentally a team effort, and, more broadly, a community effort. Node.js 19 and Node.js 18 LTS are great examples of this with input and code from a wide range of developers,” said Ruy Adorno, Node.js Release Working Group Chair and Senior Software Developer, Google. “Try out Node.js yourself, and if you have contributions, we are very interested in working with you.”

Main updates for Node.js 19

  • HTTP(S)/1.1 KeepAlive by now set by default
  • Custom ESM Resolution Adjustments
  • Dropped support for DTrace/SystemTap/ETW
  • Updated V8 JavaScript engine to 10.7
  • llhttp 8.1.0

HTTP(S)/1.1 KeepAlive by default

Node.js now sets keepAlive to true by default. Outgoing HTTP or HTTPs connections will automatically use HTTP 1.1 Keep-Alive. It could be set this way before but specific parameters needed to be set. Now it’s by default. This means better performance and throughput by default.

Custom ESM Resolution Adjustments

Node.js has removed the –experimental-specifier-resolution flag. Its functionality can now be achieved via custom loaders. 

Dropped support for DTrace/SystemTap/ETW

DTrace can be used to get a global overview of a running system, such as the amount of memory, CPU time, filesystem and network resources used by the active processes. It can be an important tool, but keeping it up-to-date is complex, and it was decided we don’t have personnel to properly support it. If you are interested in helping to bring DTrace back, an issue has been opened here: github.com/nodejs/node/issues/44550

Updated V8 JavaScript engine to 10.7

The V8 engine is what powers Node.js. It parses and runs your JavaScript inside a Node environment. Node.js follows updates to the V8 JavaScript engine closely. 

This version includes a new feature to the JavaScript API: `Intl.NumberFormat`. `Intl.NumberFormat` v3 API is a new TC39 ECMA402 stage 3 proposal extending the pre-existing Intl.NumberFormat.

llhttp 8.1.0

This project is a port of http_parser to TypeScript. It is used to generate the output C source file, which can be compiled and linked with an embedder’s program like Node.js. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. The Node.js team is regularly improving llhttp with new API features and new callbacks.

Try it out today

To download Node.js v19.0.0, visit: https://nodejs.org/en/download/current/.  Check out the release post at https://nodejs.org/en/blog/release/v19.0.0, which contains the list of commits included in this release. The team would love to hear your feedback! 

“Thank you to Rafael and Ruy for taking on this release, and thank you to our community – your feedback is so important for the iteration of Node.js,” said Senior Software Engineer at Red Hat, Node.js TSC Member, and prior major release steward, Bethany Griggs. “As a long time maintainer of Node.js, hearing from the community allows us to push these releases more efficiently.”

Testing your applications and modules with Node.js 19  helps to ensure the future compatibility of your project with the latest Node.js changes and features.

For the timeline of Node.js releases, check out the Node.js Release Schedule.

“We look forward to what the community will build with the release of Node.js 19,” said OpenJS Foundation Executive Director Robin Ginn. “With each release, the team is quickly working to ensure developers are always up to date and able to test out new features.”

Thank you

We’d like to thank all of the Node.js collaborators and contributors, as this release and upcoming ones are a direct result of their efforts!

Node.js Security Progress Report – Collab Summit Highlights Increased Focus On Security for Node.js

By Blog, Node.js, Node.js Security

There was good progress in September aimed at improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. The grant helped the team cover an extra 4 reports from HackerOne, helped with 3 security releases, and made important new changes to security processes. And, we attended the OpenJS Collab Summit and got more feedback directly from Node.js members.

6 Fixed Vulnerabilities and 1 Security Release

There were 2 Security Working Group and 2 Release Working Group meetings in September. Based on 4 CVEs from HackerOne, there were 4 releases of Node in the past month, and much of the focus of our security work was here. There were also 3 security releases of Node.js in the following release lines:

Node.js v18.9.1 

Node.js v16.17.1 (LTS)

Node.js v14.20.1 (LTS)

Improving Security Processes

The Node.js team proposed and implemented 2 major changes in the mechanism for fixing CVEs. Since it’s possible that patches can create a new vulnerability, we looked for ways to better communicate back to the original reporter to close the loop. The first change is that we share a diff back to the reporter. This is a visual confirmation of the process. A second change whenever a security report is fixed, the binary will be built and sent to the reporter. We fix a problem, compile it locally, test it, create a binary, and send it (when applicable) to the original reporter through the HackerOne thread. 

OpenJS Collab Summit (Oct 1-2, 2022, Dublin, Ireland)

The Collaborators Summit brings maintainers and contributors together to discuss Node.js. Committees and working groups come together twice per year to make important decisions. In Dublin, there was lots of engagement, and we were able to hear some concerns about including security more explicitly in planning for the future. We were very pleased with the interactions.

Pictures from Collab Summit, thanks to Tony Gorez

Node.js Security Progress Report – Threat Model and Dependency Analysis Improvements

By Blog, Node.js, Node.js Security

August was a big month for improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. There was work on the Node.js Threat Model, Dependency Analysis that created new automatic notifications, and there will be Node.js Working Group presentations on these topics and more at the upcoming Collaborator Summit in early October.

Threat Model

Threat modeling is a structured approach of identifying and prioritizing potential threats to a system, and determining the value that potential mitigations would have in reducing or neutralizing those threats. – OWASP

Work on the Node.js Threat Model continues with  the goal of listing all the current threats and their mitigation for each environment using Node.js. The Threat Model document will provide context on what will or will not be considered a vulnerability in Node.js, and will serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

Dependency Analysis

A daily workflow has been created to scan Node.js dependencies and look for vulnerabilities. Whenever a vulnerability is found, an issue is created and assessed. Node.js now gets vulnerability reports about dependencies once per day as soon as vulnerabilities are identified, instead of waiting for manual reporting. 

Check out the repo for the status CVEs reported against Node.js dependencies.

Meeting Face to Face

Rafael Gonzaga from the Node.js Security Working Group will be presenting at the OpenJS Foundation Collaborator Summit, held in Dublin, Ireland, Oct 1-2, 2022. He will be presenting on what’s next for Node.js in Diagnostics and Security. Come talk about Node.js security with us!

Node.js Security Progress Report – Permission System Gets Its First Pull Request

By Blog, Node.js, Node.js Security

July was a busy month for improving Node.js security, with reinforcements from the Open Source Security Foundation (OpenSSF) grant to OpenJS! There was the first pull request for the Permission System, a Node.js Security Release, and a new OpenSSL Security Release which meant updates to Node.js v18, v16, and v14, and triaging and fixing HackerOne reports (5 total).

Permission System

Node.js is building a security Permission System to avoid third-party libraries accessing machine resources without user consent. The Permission System got its first pull request in July! The pull request is 1,200 lines and includes the foundation of the Permission Model. There has been good feedback from the community, and the pull request has been shared publicly. This is the starting point; plenty of review and discussion is expected. 

OpenSSL Update

OpenSSL released a major security update on July 5. Node.js responded with our OpenSSL Security Release Assessment, which stated that the OpenSSL release affects Node.js v18, v16, and v14, with one moderate vulnerability on Windows 32-Bit x86. Our Node.js Security Releases were made available on July 7, covering 7 fixes. (A normal update level is 2-3 fixes.) 

It is best practice to have a revert flag for security updates that can include breaking changes. This is for installations that need a temporary work around. For v16 and v14, we had implemented the fixes without the revert flag (–openssl-shared-config) but are working for it to be available in the next Node.js release. 

Node.js tracks OpenSSL releases closely. The document Maintaining OpenSSL shows how we check requirements, extract new OpenSSL sources, and commit them.

Triaging and Fixing

Node.js analyzes and solves reports on HackerOne. The team triages Node.js issues and fixes security vulnerabilities. HackerOne access is required. For security reasons, reports are not disclosed until getting a CVE designation.

Join us!

Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar and find issues for meetings in this repo: nodejs/security-wg.

Progress Report – Strengthening Node.js Security

By Blog, Node.js, Node.js Security, Project Update

In April this year, the OpenJS Foundation announced the Open Source Security Foundation (OpenSSF) had selected Node.js as their initial project to help improve supply chain security. As part of OpenSSF’s Alpha-Omega Project, $300k was committed to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022. The focus is on supporting better open source security standards and practices. The Alpha-Omega repo for Node.js is here.

Since the announcement, OpenJS has quickly onboarded new OpenSSF security support resources who hit the ground running. Better plans and processes have already started to be built out and are already having an impact.

For example, security processes are being improved through a Security Model that is being discussed in the Security Working Group. The structure has been defined and they are currently working to document assumptions from the Node.js runtime. 

The community is creating a new Threat Model that provides context on what will and will not be considered a vulnerability in Node.js, which will particularly help inform security researchers. It includes all the current threats and their mitigation for each environment using Node.js. Note: This may change over releases.

The community also added vulnerability checking for Node.js dependencies. This is a new script that queries vulnerability databases in order to find if any of Node.js’ dependencies are vulnerable. It runs as part of the continuous integration workflow, and if any new vulnerabilities are found, it automatically opens an issue tagging Node.js’ maintainers and Security Working Group members.

Additionally, the Node.js team fixed the first OpenSSF Project Omega CVE as part of the Node.js July 7, 2022, security release.

Organization

Day-to-day security is run through the triage team who look at HackerOne reports to fix issues and handles the ongoing OpenSSL reports and updates. The turnaround time on fixes has been tightened from about one week to under two days. 

The Security Working Group, which has a broader mandate to look at the future of Node.js security, has been reactivated, meeting every two weeks.

Join us!

Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar.