Node.js Threat Model, CVEs and nodejs.json Config File || FREE RedHat's Node.js Architecture EBOOK
Headlines
Is a nodejs.json config file coming soon? - Marco Ippolito and Joyee Cheung are discussing the possibility of introducing a nodejs.json
configuration file to Node.js. This file would allow users to configure Node.js settings, such as the various command-line options, in a single file. This would be a significant improvement over the current situation, where users must specify these options on the command line or in environment variables.
Node.js starts issuing CVEs for End-of-Life runtime versions - Up until recently, the Node.js project issued CVE security vulnerabilities only for supported runtime versions. This is now changed with Node.js opting to become a CNA (CVE Numbering Authority) and begins issuing CVE records for older, unsupported versions such as Node.js v14, Node.js v16 and others. This means you should expect seeing higher number of alerts from security scanners.
A Node.js Maintainers Threat Model - Rafael Gonzaga welcomes discussion on achieving a Maintainers Threat Model to discuss access per group of participants or contributors and how each could impact the Node.js binary.
styleText Node.js API to Respect Terminals - Refael Gonzaga merged a PR that changes styleText API to respect terminal capabilities and environment variables such as NO_COLOR, NODE_DISABLE_COLORS, and FORCE_COLOR.
simple-git unsafe actions - When adopting a library, it’s best to review the code and any security disclaimers to make sure you understand the risks.
This is the case with simple-git
and here’s an example of using unsafe transport like ext::
for cloning:
import { simpleGit } from 'simple-git';
// throwsawait simpleGit() .raw('clone', 'ext::git-server-alias foo %G/repo', '-c', 'protocol.ext.allow=always');
// allows calling clone with a helper transportawait simpleGit({ unsafe: { allowUnsafeProtocolOverride: true } }) .raw('clone', 'ext::git-server-alias foo %G/repo', '-c', 'protocol.ext.allow=always');
The deep-equal
package pulls more than 50 dependencies:
Free EBOOK - A Developer’s Guide to the Node.js Reference Architecture - Written by Michael Dawson and Lucas Holmquist and made free by Red Hat for everyone.
Free EBOOK - Become a Node.js Developer - Written by Thomas Gentilhomme, long-time Node.js developer, and available in both French and English.
📦 On npm
@mjackson/node-fetch-server
- Write servers for Node.js using the web fetch API primitives, like Request and Response.
âť— New Security Vulnerabilities
- solid-js found vulnerable to CVE-2025-27109 Cross-site Scripting, 21 Feb 2025
- docgpt found vulnerable to CVE-2025-0868 Command Injection, 20 Feb 2025
đź”® A Node.js Security Tip
Please do not make the same mistake I found a blogger in 2024 did, thinking the Node.js vm
module is a security sandbox. It is not. The vm
module is not a security sandbox, and it should not be used as such. The vm
module is a tool for running JavaScript code in a controlled environment, but it is not a security sandbox.