Node.js security release, React Server Components authorization bypass, NodeConf EU and a collection of useful GitHub Actions
How easy it is to introduce broken access control when using React Server Components? In this RSC example, Sasha shared on Twitter how they inadvertently wrote a React Server Component code that would have resulted in a security breach, if not refactored in time to fix the issue. It is very apparent that this is a very confusing security issue to developers based on social chatter. [nodejs-security.com]
🚨 Node.js Security Release — Expected to publish today on July 8th, fixing 5 security vulnerabilities in the Node.js runtime. Watch closely and upgrade as soon as you can. [github]
Fancy some security GitHub Actions? Here you go
Edward Thomson published a new version of test-summary — Beautiful looking summaries for GitHub Action test output. [github]
Ulises Gascon, Node.js collaborator and Express maintainer, releases new version of OpenSSF Scorecard Monitor — The Scorecard project aims to quantify the security posture of open-source projects. This action help streamline that through PR workflows and reports. [github]
New dependencies advisor — A GitHub Action that integrates with the Snyk Advisor to pull information about newly added dependencies in a Pull Request and add a comment with their package health score. [github]
Care to meet many Node.js collaborators and developers in a Ireland castle? Get tickets to NodeConf EU conference happening on November 4-6, 2024. FYI, the Call For Papers is also open, submit talks!
On npm
neostandard - Pelle Wessman introduces the successor for StandardJS, the way we used to lint code. There is an open issue to track potential Biome support.
biome - Keeping with the same theme, Biome aims to be a one-stop-shop and fast JavaScript formatter and linter that replaces Prettier and ESLint. P.S. Biome celebrated 2 million monthly downloads 🎉
New Security Vulnerabilities
@jmondi/url-to-pngfound vulnerable to Path Traversal, 11 Jun 2024undici foundvulnerable to Memory Buffer Error, 25 Jun 2024@fastly/js-computefound vulnerable to Use After Free, 27 Jun 2024colors-namesis a malicious package, careful what you install 😅
Hiring
- Snyk hiring for Associate Security Researcher - Hunter team in 🇷🇴
- Snyk hiring for Staff Software Engineer DX (TypeScript & Node.js) in 🇬🇧
- SentinelOne hiring for Senior Threat Researcher in 🇮🇱
- SentinelOne hiring for Staff Software Engineer JS, React in 🇮🇳
- Datadog hiring for Library Software Engineer, Node.js in EMEA
- Datadog hiring for Staff Software Engineer JS, React in 🇮🇳
you should pin your actions usage to a SHA. Want the security but don’t want the bother, Frizbee can take care of that for you
— Edward Thomson, June 26 2024