The Node.js Secure Coding Blog

How to use yarn audit
Better some security than none at all. If you're using Yarn package manager, learn about `yarn audit` and how to use it to check for vulnerabilities in your dependencies.
Sep 26, 2024 ~ 7 min read
yarn audit
npm audit
vulnerabilities
yarn
Raw SQL Queries are Actually Better for Security Than ORMs?
Have I gone mad? Do I actually recommend not using an ORM and actually gaining a security advantage? Sort of. It's more nuanced but if we're trying to fix SQL injection and related vulnerabilities then I invite you to take a read.
Sep 22, 2024 ~ 11 min read
raw
sql
ORMs
Node API Security
Briefly exploring core concepts around Node API security with regards to GraphQL and REST API design with code examples specific to Node.js application servers.
Sep 10, 2024 ~ 7 min read
nodejs
secure
configuration
Is Node.js Secure?
Briefly exploring the Node.js threat model to draw some opinions on whether Node.js is secure or not.
Sep 9, 2024 ~ 5 min read
nodejs
secure
threat model
URL Regex Validation: what can go wrong?
Are you using regex to validate URLs? Learn from a CVE identified in the node-forge npm package that was using a regex pattern to validate URLs and resulted in a security vulnerability.
Sep 8, 2024 ~ 3 min read
regex
url
validation
vulnerability
Uncovering a Prototype Pollution Regression in the core Node.js project
Learn how I discovered a Node.js core prototype pollution regression, its security implications, and why it didn't warrant a CVE. Luckily, I also fixed it for us!
Aug 16, 2024 ~ 5 min read
nodejs
security
prototype pollution
vulnerability

Newer posts

Older posts