​How easy it is to introduce broken access control when using React Server Components? In this RSC example, Sasha shared on Twitter how they inadvertently wrote a React Server Component code that would have resulted in a security breach, if not refactored in time to fix the issue. It is very apparent that this is a very confusing security issue to developers based on social chatter. _{[nodejs-security.com]}

🚨 Node.js Security Release — Expected to publish today on July 8th, fixing 5 security vulnerabilities in the Node.js runtime. Watch closely and upgrade as soon as you can. _[github]

Fancy some security GitHub Actions? Here you go

​Edward Thomson published a new version of test-summary — Beautiful looking summaries for GitHub Action test output. _[github]

​Ulises Gascon, Node.js collaborator and Express maintainer, releases new version of OpenSSF Scorecard Monitor — The Scorecard project aims to quantify the security posture of open-source projects. This action help streamline that through PR workflows and reports. _[github]

​New dependencies advisor — A GitHub Action that integrates with the Snyk Advisor to pull information about newly added dependencies in a Pull Request and add a comment with their package health score. _[github]

Care to meet many Node.js collaborators and developers in a Ireland castle? Get tickets to NodeConf EU conference happening on November 4-6, 2024. FYI, the Call For Papers is also open, submit talks!

On npm

• ​neostandard​ - Pelle Wessman introduces the successor for StandardJS, the way we used to lint code. There is an open issue to track potential Biome support.

• ​biome​ - Keeping with the same theme, Biome aims to be a one-stop-shop and fast JavaScript formatter and linter that replaces Prettier and ESLint. P.S. Biome celebrated 2 million monthly downloads 🎉

New Security Vulnerabilities

• @jmondi/url-to-png found vulnerable to Path Traversal, 11 Jun 2024
• undici found vulnerable to Memory Buffer Error, 25 Jun 2024
• @fastly/js-compute found vulnerable to ​Use After Free, 27 Jun 2024
• colors-names is a malicious package, careful what you install 😅

Hiring

• Snyk hiring for Associate Security Researcher - Hunter team in 🇷🇴
• Snyk hiring for Staff Software Engineer DX (TypeScript & Node.js) in 🇬🇧
• SentinelOne hiring for Senior Threat Researcher in 🇮🇱
• SentinelOne hiring for Staff Software Engineer JS, React in 🇮🇳
• Datadog hiring for Library Software Engineer, Node.js in EMEA
• Datadog hiring for Staff Software Engineer JS, React in 🇮🇳

you should pin your actions usage to a SHA. Want the security but don’t want the bother, Frizbee can take care of that for you 

— Edward Thomson, June 26 2024​