​​Understanding and Preventing Prototype Pollution in Node.js​ — A short but practical walkthrough of Prototype Pollution in Node.js: what it is, how it works, and how to prevent it. Includes a real-world example _{nodejs-security.com}

Headlines

​​🚧 Node.js 22.5.0 included a bug that broke many builds — A bug in Node.js 22.5.0 caused many CI setups to fail their npm and yarn build workflows. Upgrade to Node.js 22.5.1 for a fix _nodejs

​​$ node —experimental-permission —allow-fs-write=​ — On-going discussion on the Node.js repository about verbose runtime warning when wildcards are used in filesystem trust policy _github

​​import sqlite from ‘node:sqlite’​ — SQLite is coming to a Node.js runtime version near you with initial support being merged in Node.js core _github

​Carlos Sousa improves Node.js URL.canParse performance by 50%​ _github

​​Yagiz Nizipli​ with more performance magic: fs.dir 100% faster​ _github

​ 🚨 Lodash prototype pollution vulnerabilities, upgrade to >= 4.17.17 affected versions are vulnerable through the zipObjectDeep function due to improper user input sanitization in the baseZipObject function:

​​Nuxt Security module celebrates 1,000,000 downloads​ — Congratulations to Jakub Andrzejewski for achieving this milestone and helping us ship secure Vue.js server-side applications _github ​

​​Nuxt v4.0 about to ship 🚀​ — continuing with Nuxt updates, the next major version of Nuxt is getting prepared for a release _github ​ ​​Firebase + Fastify = best friends? ​ — A step-by-step guide to enable HTTP webhooks on Google’s Firebase platform running the Fastify framework as a Firebase function _lirantal.com

On npm

• ​​oxlint​​ - More Rust tooling for the JavaScript ecosystem, the Oxidation Compiler brings fast linters, recording 50 times faster than ESLint benchmark
• ​​fastify-helmet​​ - fastify-helmet helps you secure your Fastify apps by setting important security headers
• ​​kysely​ 0.27.4 release 🎉 - kysely, the strongly-typed ORM with a new version and many bug fixes

New Security Vulnerabilities

• bootstrap found vulnerable to ​Cross-site Scripting​, 12 July 2024
• hfs found vulnerable to ​OS Command Injection​, 8 July 2024
• llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll is really the name of a ​Malicious package​ on npm, 19 July 2024

Hiring

• Mindera hiring for ​Backend Software Engineer, Node.js​ in 🇵🇹
• Lattice hiring for ​Senior Software Engineer, Node.js​ in 🇺🇸
• incode hiring for ​Senior Backend Engineer, Node.js​ in 🇷🇸
• Tipalti hiring for ​Staff Full Stack Engineer (Node.js)​​ in 🇮🇱