Security Archives - OpenJS Foundation

May 24

Node.js Security Progress Report – Automation, Automation and more Automation

By OpenJS Foundation Blog, Node.js, Node.js Security

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies.

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: https://github.com/nodejs/security-wg/issues/828. We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project.

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process.

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model.

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features.

JavaScriptLandia Awards: Pathfinder for Security

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform.

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency.

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

May 02

Love0

OpenJS Foundation and the Sovereign Tech Fund: Creating secure and modern technology and policy

OpenJS Foundation Receives Major Government Investment from Sovereign Tech Fund for Web Security and Stability

By Robin Ginn Announcement, Blog

We’re so excited to announce that the OpenJS Foundation has been selected to receive an investment from the Sovereign Tech Fund (STF) to help build the future of JavaScript infrastructure and security.

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is investing EUR 875,000 (USD 902,000) in the OpenJS Foundation.

This is the largest one-time government support investment ever to a Linux Foundation project. We’re grateful to the STF team for supporting this initiative!

Our goal is to help our open source projects gain more secure and modern technologies and policies for the web. In collaboration with community leaders in our OpenJS Security Collaboration Space, and the Linux Foundation IT team, we developed a plan that we hope will scale across the JavaScript ecosystem.

We will do the following over the next two years:

Deliver infrastructure updates across our project portfolio through a single-scalable solution, while implementing a responsible sunset program for inactive projects.
Develop and deliver security and maintenance policies and practices for critical projects.

The OpenJS Foundation’s JavaScript technologies are widely used around the world, and building development infrastructure with longevity and stability remains a key function of the OpenJS Foundation.

We want to continue to improve and build a JavaScript ecosystem that will continue to flourish over the next decade, and the support from the Sovereign Tech Fund will make that commitment a reality.

Government support of open source

Governments, the private sector, and individuals all rely on JavaScript, and we pride ourselves on growing our security and trust in the web technologies they use.

The Sovereign Tech Fund’s investment in the OpenJS Foundation will scale our hosted projects today and in the future. At the same time, it will help our projects adopt more secure and modern technologies and policies, with the goal of being self-sustaining in the future.

We hope that this will start to build a JavaScript ecosystem that will continue to flourish not only in Germany, but around the globe. It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in the critical open source infrastructure that powers the web.

Expanding our security practices

We’ve been working to modernize and improve our security practices in other areas, with the help of the Open Source Security Foundation (OpenSSF) Alpha-Omega project.

Earlier this year, jQuery received USD 350,000 to reduce potential security incidents by helping modernize its consumers and its code. This is also the second year that Alpha-Omega has funded Node.js – resulting in great progress improving Node.js security – which we’ve been reporting on monthly.

What’s next

We’re excited to begin, and have already engaged members of the Linux Foundation IT team to assist with the work. We’ll be sure to keep our OpenJS blog updated as we make progress!

Big thank you to the Sovereign Tech Fund and the German Ministry for their generous support of open source. We hope that their leadership will inspire governments around the world to follow suit!

—

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Netflix, and Microsoft. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

Apr 26

Love0

Node.js Security Progress Report – More Community Participation Leads to Security Sustainability Progress

By OpenJS Foundation Blog, Node.js, Node.js Security

We continue to see more participation and momentum from the Node.js community. This is critical to our success. With more security systems in place and more outside participation, we are making progress toward Node.js security sustainability.