🦄 Node.js Security

Node.js

Headlines

Can npx run with Node.js permission model? - Rafael Gonzaga shows and provides a bash alias to demonstrate how to run npx with the Node.js permission model, which is a great way to run untrusted code in a secure manner (although not without some risks, so take it with a grain of salt still for any untrusted packages).

npx run with nodejs permission model

Here’s June stream for Node.js Security working group - Featuring a discussion on the current state of affairs with Michael Dawson, Rafael Gonzaga, and Ulises Gascon.

nodejs security working group stream

Node.js TSC Declines to Endorse Feature Bounty Program - Why is that and what does it mean for the future of security bugs reported to Node.js and the npm package ecosystem? The TSC is still considering informal solutions like contributor directories to connect bug bounty funders with developers directly.

OpenJS becomes a CNA - The OpenJS Foundation is now an official CNA (Common Numbers Authority) for 40+ JavaScript projects which means they can assign CVE IDs to vulnerabilities in these projects, including Node.js and npm.

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit