The State of Node.js Security - April, 2018
npm acquired ^Lift Security, the Node.js Security Working Group got a public Slack channel, a bug bounty program was started - just a few things that happened in the past couple months in the security space of the Node.js ecosystem. In this post, I’d like to give you a quick overview of the most important updates.
On 10 April, npm announced that the Lift Security team joined npm to work full time on keeping the registry safe, and to develop new products.
With this acquisition, npm invested heavily in the security of the Node.js space - I am very excited to see what new products npm will announce in the coming weeks!
One of the first improvements announced after the partnership is the addition of the
npm audit command to the npm CLI. It will run a security audit of your project’s dependency tree and notify you about any actions you may need to take.
This feature will ship in npm version 6, which will be the default package manager for the next major release of Node.js, Node.js version 10.
To read more about the other exciting features of npm@6, check out the release log!
The Security Working Group’s purpose is to achieve the highest level of security for Node.js and community modules. To make the communication channel more approachable, as well as to facilitate open discussion for and by the community as well, we’ve launched a Slack group.
To join, follow this link.
The Node.js Security Working group also announced the bug bounty program for the runtime. The program is run on HackerOne, a vulnerability coordination and bug bounty platform.
All reports will be acknowledged within 24 hours, and you’ll receive a more detailed response within 48 hours indicating the next steps in handling your report. Please report any security issues here.
On 28 March, all active release lines got security updates - these address the following security issues:
- OpenSSL update to OpenSSL 1.0.2o
- Node.js Inspector DNS rebinding vulnerability, (Node.js 6.x and above)
pathmodule regular expression denial of service, (Node.js 4.x only)
- Spaces in HTTP Content-Length header values are ignored
- Update root certificates
To read more about these issues, you can find the official release notes here.
If you haven’t updated your version, I’d recommend doing that as soon as possible!
I’d recommend reading the following articles to make sure your Node.js applications are secure: