Node.js
Headlines
Can npx run with Node.js permission model? - Rafael Gonzaga shows and provides a bash alias to demonstrate how to run npx
with the Node.js permission model, which is a great way to run untrusted code in a secure manner (although not without some risks, so take it with a grain of salt still for any untrusted packages).
Here’s June stream for Node.js Security working group - Featuring a discussion on the current state of affairs with Michael Dawson, Rafael Gonzaga, and Ulises Gascon.
Node.js TSC Declines to Endorse Feature Bounty Program - Why is that and what does it mean for the future of security bugs reported to Node.js and the npm package ecosystem? The TSC is still considering informal solutions like contributor directories to connect bug bounty funders with developers directly.
OpenJS becomes a CNA - The OpenJS Foundation is now an official CNA (Common Numbers Authority) for 40+ JavaScript projects which means they can assign CVE IDs to vulnerabilities in these projects, including Node.js and npm.