Skip to main content

Node.js Security Progress Report – Looking Into SBOM for Node.js

September was a busy month with participation in 3 different events, regular work on security reports, and discussions around creating an SBOM for Node.js.

In September, we responded to 9 submitted reports (3 Triaged, 3 Closed as non-applicable, 3 Closed as informative) and the average first response time was 4 hours and 30 minutes, slightly faster than in August.

Work on Node.js security is thanks in part to the Open Source Security Foundation (OpenSSF) and the Project Alpha Omega. You can read more details about our partnership here: Security Support Role 2023.

Possible Software Bill of Materials (SBOM) for Node.js

We are now actively looking at ways to include a Software Bill of Materials (SBOM) for Node.js releases. In May 2021, the US government issued an Executive Order on Improving the Nation’s Cybersecurity which specifically advocates providing SBOMs for software products. 

From the executive summary:

“…the term ‘Software Bill of Materials’ or ‘SBOM’ means a formal record containing the details and supply chain relationships of various components used in building software.  Software developers and vendors often create products by assembling existing open source and commercial software components.  The SBOM enumerates these components in a product.  It is analogous to a list of ingredients on food packaging.”

However, exactly what the SBOM includes is debatable. Timing for implementation is not decided. The full internal Node.js discussion on adding an SBOM for Node.js is available here: 

Node.js Security WG Initiatives

Creating Security Release issues is now automated. The new command manages all the states of a security release. It  includes CREATE. In the future, it will include requesting CVEs, creating issues, sending emails and more.

Node.js Security Sustainability

September was a month full of speaking engagements. We believe events like the ones listed below are an excellent opportunity to connect directly with the Node.js community and to get feedback and welcome outside contributors. We hope to meet you face-to-face in the near future!

  • “The State of Node.js Security”
    • Node.js Collab Summit, Bilbao, Spain, Sept 18th
  • “The Journey of Node.js Permission Model”
    • OpenSSF Day, Bilbao, Spain, Sept 18th
  • “Improving the security of a large open source project”
    • Open Source Summit EU, Bilbao, Spain, Sept 20th
  • “Node.js Project”
    • Grace Hopper Celebration Day, virtual, Sept 22th
  • “Improving the security of a large open source project”
    • OpenJS World, Shanghai, China, Sept 26th

Interested in getting involved with Node.js security? The new Permission Model is still experimental, which makes it the right time for you to try it. We are actively looking for new contributors. And, we’re super friendly! 🙂

Find out more about the Node.js Security Team here: