The State of Node.js Security - April, 2018

npm acquired ^Lift Security, the Node.js Security Working Group got a public Slack channel, a bug bounty program was started - just a few things that happened in the past couple months in the security space of the Node.js ecosystem. In this post, I'd like to give you a quick overview of the most important updates.

npm acquired ^Lift Security and Node Security Platform

On 10 April, npm announced that the Lift Security team joined npm to work full time on keeping the registry safe, and to develop new products.

With this acquisition, npm invested heavily in the security of the Node.js space - I am very excited to see what new products npm will announce in the coming weeks!

Read more here!

npm audit added to npm@6

One of the first improvements announced after the partnership is the addition of the npm audit command to the npm CLI. It will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

This feature will ship in npm version 6, which will be the default package manager for the next major release of Node.js, Node.js version 10.

To read more about the other exciting features of npm@6, check out the release log!

Slack for the Node.js Security Working Group

The Security Working Group's purpose is to achieve the highest level of security for Node.js and community modules. To make the communication channel more approachable, as well as to facilitate open discussion for and by the community as well, we’ve launched a Slack group.

To join, follow this link.

Bug bounty for Node.js

The Node.js Security Working group also announced the bug bounty program for the runtime. The program is run on HackerOne, a vulnerability coordination and bug bounty platform.

All reports will be acknowledged within 24 hours, and you’ll receive a more detailed response within 48 hours indicating the next steps in handling your report. Please report any security issues here.

Read more here on the Node.js bug bounty program!

Node.js security releases

On 28 March, all active release lines got security updates - these address the following security issues:

OpenSSL update to OpenSSL 1.0.2o

Node.js Inspector DNS rebinding vulnerability, (Node.js 6.x and above)

path module regular expression denial of service, (Node.js 4.x only)

module regular expression denial of service, (Node.js 4.x only) Spaces in HTTP Content-Length header values are ignored

Update root certificates

To read more about these issues, you can find the official release notes here.

If you haven't updated your version, I'd recommend doing that as soon as possible!

Further reading

I'd recommend reading the following articles to make sure your Node.js applications are secure: