Security for Node.js - designated as a top priority by the OpenJS Foundation and funded for the past 2 years by the Open Source Security Foundation (OpenSSF) Project Alpha-Omega - has continued to progress in 2024. 

So far this year, the team has accomplished:

• Security releases for Node.js
• Updates to the permission model
• More progress on automation of security releases
• Raising awareness through talks in the community

Read more below for details. Additionally, we would like to thank Project Alpha-Omega, whose support has been critical in helping strengthen Node.js security practices.

Security Releases

The hard work of delivering security releases is a key part of the work supported by the OpenSSF funding. There were two recent security releases with fixed disclosure dates based on collaboration across projects through the  Vulnerability Information and Coordination Environment (VINCE). These two releases were delivered to coincide with the fixed disclosure date so that updated versions of Node.js were available when the vulnerabilities went public.

Latest Updates for the Permission Model, Inclusion of fs.watch permission

The Node.js Permission Model continues to improve including fixing compatibility with Electron, improvements to buffer, resolve, and a new flag --allow-addons. Native addons are restricted by default, but it’s now possible to add the --allow-addons flag. 
The Permission Model also now accepts relative paths through the CLI. For example: --experimental-permission --allow-fs-read=./index.js. This is based on requests from the community.

Searches for "permission model" are high and are an indication of interest, including a UK government organization actively considering implementing the Permission Model. Permission Model roadmap information is available here.

In January, the team added the inclusion of fs.watch permission. The fs watcher in Node.js is a module that allows you to monitor changes in the file system. It watches a given directory or file and emits events when changes occur when a file is created, updated, or deleted. This allows you to automate processes related to changes in the file system, like reloading a web page when someone edits a file. The fs module in Node.js provides several methods to implement a watcher. Two of the methods are fs.watch() and fs.watchFile().

Continuing Automation

The project has a goal to fully automate its 29 step release process. Currently, Node.js has automations in place to start a security release - from creating an issue that lets everyone know it's starting to creating a blog post announcing the release. However, you have to open an issue, it still requires doing many steps manually, and creating proposals for each active release line. We’re likely to use metadata - reports, affected versions, CVEs - to automate upcoming security releases. The team continues to make progress on this front.

We have also created a new design for security releases, more details to come!

Node.js Community Talks

Our community has been active at many events already over the past 6 months! Catch up on their talks below.

• 5 Ways You Could Have Hacked Node.js: Rafael Gonzaga, Principal Open Source Engineer at NodeSource delivered a talk focused on the technical aspects of hacking and securing Node.js and covering the tactics used by the Node.js team to deal with vulnerabilities. The talk also covered how you can earn money by finding critical vulnerabilities in Node.js.
• The Chronic Disease Plaguing the Internet: Robin Bender Ginn, Executive Director for the OpenJS Foundation discussed the latest public and private sector security initiatives poised to fortify the open source ecosystem. Additionally, she shared the practical strategies to mitigate risks, and priority areas where organizations can focus their resources and policies to create a healthy web.
• Node.js Collaborator Summit: Last month, Node.js contributors and community members came together in London to share knowledge about the project and the ecosystem, brainstorm solutions to technical and non-technical issues, make progress in decision-making discussions, and push forward new initiatives.

Get Involved

Interested in getting involved with Node.js security? We are actively looking for new contributors! 

Find out more about the Node.js Security Team here: https://github.com/nodejs/security-wg.

If you want to join Node.js, there are multiple ways and places you can contribute. Please see here for more details: https://nodejs.org/en/get-involved/contribute.