Node.js Threat Model, CVEs and nodejs.json Config File || FREE RedHat's Node.js Architecture EBOOK

Headlines

Is a nodejs.json config file coming soon? - Marco Ippolito and Joyee Cheung are discussing the possibility of introducing a nodejs.json configuration file to Node.js. This file would allow users to configure Node.js settings, such as the various command-line options, in a single file. This would be a significant improvement over the current situation, where users must specify these options on the command line or in environment variables.

support for Node.js config file

Node.js starts issuing CVEs for End-of-Life runtime versions - Up until recently, the Node.js project issued CVE security vulnerabilities only for supported runtime versions. This is now changed with Node.js opting to become a CNA (CVE Numbering Authority) and begins issuing CVE records for older, unsupported versions such as Node.js v14, Node.js v16 and others. This means you should expect seeing higher number of alerts from security scanners.

A Node.js Maintainers Threat Model - Rafael Gonzaga welcomes discussion on achieving a Maintainers Threat Model to discuss access per group of participants or contributors and how each could impact the Node.js binary.


styleText Node.js API to Respect Terminals - Refael Gonzaga merged a PR that changes styleText API to respect terminal capabilities and environment variables such as NO_COLOR, NODE_DISABLE_COLORS, and FORCE_COLOR.

simple-git unsafe actions - When adopting a library, it’s best to review the code and any security disclaimers to make sure you understand the risks.

This is the case with simple-git and here’s an example of using unsafe transport like ext:: for cloning:

import { simpleGit } from 'simple-git';
// throws
await simpleGit()
.raw('clone', 'ext::git-server-alias foo %G/repo', '-c', 'protocol.ext.allow=always');
// allows calling clone with a helper transport
await simpleGit({ unsafe: { allowUnsafeProtocolOverride: true } })
.raw('clone', 'ext::git-server-alias foo %G/repo', '-c', 'protocol.ext.allow=always');

The deep-equal package pulls more than 50 dependencies:

deep-equal npm package dependency graph


Free EBOOK - A Developer’s Guide to the Node.js Reference Architecture - Written by Michael Dawson and Lucas Holmquist and made free by Red Hat for everyone.

developer guide to the Node.js reference architecture


Free EBOOK - Become a Node.js Developer - Written by Thomas Gentilhomme, long-time Node.js developer, and available in both French and English.

become a Node.js developer by Thomas Gentilhomme


📦 On npm

@mjackson/node-fetch-server - Write servers for Node.js using the web fetch API primitives, like Request and Response.

node-fetch-server npm package

âť— New Security Vulnerabilities

đź”® A Node.js Security Tip

Please do not make the same mistake I found a blogger in 2024 did, thinking the Node.js vm module is a security sandbox. It is not. The vm module is not a security sandbox, and it should not be used as such. The vm module is a tool for running JavaScript code in a controlled environment, but it is not a security sandbox.

the vm module is not a security sandbox


Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.