Is Zero Dependency JavaScript the Future? A Security Researcher Awarded $10,000 for a Dependency Confusion Bug and Astro and Vue found vulnerable to Cross-Site Scripting (XSS)
Zero Dependency JavaScript is the Future? — The controversy around the axobject-query
package gave birth to a new trend in the JavaScript ecosystem: low dependency tree, focused on speed gains. This blog post explores the trend and its implications and goes all the way back to Node.js v0.4 and its role in the support matrix of some of the most popular packages in the ecosystem.
Node.js Security News
Given that a Security Researcher was awarded $10,000 for a Dependency Confusion security bug, it’s probably a good time to review your security controls. I wrote a blog post on how to detect and prevent dependency confusion attacks on npm to help you get started.
JavaScript Security Issues in Node.js Applications — Explores security red flags in server-side rendering and features a JSHereos 2017 edition talk by Liran Tal on the topic security headers and other security best practices.
Rafael Gonzaga shares the nodejs-cve-checker repository — Tooling to help keep track of validated and confirmed CVEs that were published to NVD after a Node.js Security release.
Node.js News
Matteo Collina’s Reading and Writing Node.js Streams is a guide on the fundamentals of working with Node.js data streams from the words of the Node.js Streams working group lead himself.
Sam Saccone on X shared the top 25 most transitively depended on runtime packages in the npm ecosystem, which you can access via Ecosyste.ms open data and use this query.
Keeping up with a low dependency footprint — an awesome advancement in Node.js runtime features means that you can swap out many surplus third-party packages for native Node.js support and reduce your reliance on direct and indirect third-party dependencies by a large sum.
A git diff, courtesy of one of my side projects:
On npm
- ​​Arcjet​​ — Arcjet adds a security layer in your server code to help developers with rate limiting, email validation and other security concerns. Arcjet supports Node.js as well as server-side rendered JavaScript via Next.js and other JavaScript runtimes (a la Bun and Hono).
- pkg.pkr.new — From StackBlitz, a new way to release packages for npm by supporting continuous preview of releases without the need to publish to npm registry directly.
New Security Vulnerabilities
- vue-template-compiler found vulnerable to ​Cross-site Scripting​, 24 July 2024
- astro found vulnerable to Cross-site Scripting, 21 July 2024
Hiring
- Mindera hiring for ​Backend Software Engineer, Node.js​ in 🇵🇹
- Lattice hiring for ​Senior Software Engineer, Node.js​ in 🇺🇸
- incode hiring for ​Senior Backend Engineer, Node.js​ in 🇷🇸
- Tipalti hiring for ​Staff Full Stack Engineer (Node.js)​​ in 🇮🇱