🦄 Node.js Security

Building Secure Node.js CLIs - Argument Injection, Pretty Layouts, Best Practices and Semantic Version Releases​

38 ​Node.js CLI Best Practices​ — A collection of curated best practices on how to build successful, empathic and user-friendly Node.js Command Line Interface (CLI) applications.

This list also features a Security section, featuring a security tip on avoiding Argument Injection vulnerabilities (which is thoroughly explained in my Node.js Secure Coding book).

nodejs-cli-apps-best-practices

Headlines

​Destroyed by Dashes: CVE-2023-26143​ — How two hyphens cause argument injection vulnerability in the blamer npm package? see how I exploited the git blame command to overwrite arbitrary files.

Snyk Advisor shows Blamer package on npm with 50k downloads found vulnerable to a type of command injection vulnerability

​@xterm/xtermjs​ — Build terminals in the browser.

xtermjs ​ Noteworthy Node.js CLI frameworks:

  • ​oClif​ - CLI for generating, building, and releasing oclif CLIs. Built by Salesforce.
  • ​Clack​ - The CLI framework powering Astro and others.
  • ​Prompts​ - Lightweight CLI library for interactive prompts.
  • ​Termino.js​ - Create a web based terminal on any website.

​Sli.dev​ — Slides powered by Markdown, themable, pluggable and built by the talented Anthony Fu.

​Changesets: Simplify Project Versioning with Semantic Releases​ — You might be familiar with the semantic-release CLI so this is a comprehensive guide to adopting Changesets for semantic versioning and publishing packages in monorepos and non-monorepo projects.

​is-my-node-vulnerable​ — A lightweight CLI tool to check if your Node.js runtime version hosts vulnerabilities.

is-my-nodejs-vulnerable

​dockly​ — Immersive terminal interface for managing docker containers and services.

dockly

On npm

  • ​resvg-js​​ — A high-performance SVG renderer and toolkit, powered by Rust based resvg and napi-rs.
  • ​configstore​​ — Easily load and persist config without having to think about where and how.

New Security Vulnerabilities

Node.js Tip of the Week

🔮 New in Node.js native test runner — You can mock method calls with mock.method(object, method) and supply an optional implementation too:

NodeJS Native Test Runner

Hiring

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit