Building Secure Node.js CLIs - Argument Injection, Pretty Layouts, Best Practices and Semantic Version Releases
38 Node.js CLI Best Practices — A collection of curated best practices on how to build successful, empathic and user-friendly Node.js Command Line Interface (CLI) applications.
This list also features a Security section, featuring a security tip on avoiding Argument Injection vulnerabilities (which is thoroughly explained in my Node.js Secure Coding book).
Headlines
Destroyed by Dashes: CVE-2023-26143 — How two hyphens cause argument injection vulnerability in the blamer
npm package? see how I exploited the git blame
command to overwrite arbitrary files.
@xterm/xtermjs — Build terminals in the browser.
Noteworthy Node.js CLI frameworks:
- oClif - CLI for generating, building, and releasing oclif CLIs. Built by Salesforce.
- Clack - The CLI framework powering Astro and others.
- Prompts - Lightweight CLI library for interactive prompts.
- Termino.js - Create a web based terminal on any website.
Sli.dev — Slides powered by Markdown, themable, pluggable and built by the talented Anthony Fu.
Changesets: Simplify Project Versioning with Semantic Releases — You might be familiar with the semantic-release CLI so this is a comprehensive guide to adopting Changesets for semantic versioning and publishing packages in monorepos and non-monorepo projects.
is-my-node-vulnerable — A lightweight CLI tool to check if your Node.js runtime version hosts vulnerabilities.
dockly — Immersive terminal interface for managing docker containers and services.
On npm
- resvg-js — A high-performance SVG renderer and toolkit, powered by Rust based
resvg
andnapi-rs
. - configstore — Easily load and persist config without having to think about where and how.
New Security Vulnerabilities
- @75lb/deepmerge found vulnerable to Prototype Pollution, 31 July 2024
- json-override found vulnerable to Prototype Pollution, 31 July 2024
- kibana found vulnerable to Denial of Service, 31 July 2024
Node.js Tip of the Week
🔮 New in Node.js native test runner — You can mock method calls with mock.method(object, method)
and supply an optional implementation too:
Hiring
- Mindera hiring for Backend Software Engineer, Node.js in 🇵🇹
- Lattice hiring for Senior Software Engineer, Node.js in 🇺🇸
- incode hiring for Senior Backend Engineer, Node.js in 🇷🇸
- Tipalti hiring for Staff Full Stack Engineer (Node.js) in 🇮🇱