Skip to main content


Node.js Security Progress Report – Looking Into SBOM for Node.js

By Blog, Node.js, Node.js Security

September was a busy month with participation in 3 different events, regular work on security reports, and discussions around creating an SBOM for Node.js.

In September, we responded to 9 submitted reports (3 Triaged, 3 Closed as non-applicable, 3 Closed as informative) and the average first response time was 4 hours and 30 minutes, slightly faster than in August.

Work on Node.js security is thanks in part to the Open Source Security Foundation (OpenSSF) and the Project Alpha Omega. You can read more details about our partnership here: Security Support Role 2023.

Possible Software Bill of Materials (SBOM) for Node.js

We are now actively looking at ways to include a Software Bill of Materials (SBOM) for Node.js releases. In May 2021, the US government issued an Executive Order on Improving the Nation’s Cybersecurity which specifically advocates providing SBOMs for software products. 

From the executive summary:

“…the term ‘Software Bill of Materials’ or ‘SBOM’ means a formal record containing the details and supply chain relationships of various components used in building software.  Software developers and vendors often create products by assembling existing open source and commercial software components.  The SBOM enumerates these components in a product.  It is analogous to a list of ingredients on food packaging.”

However, exactly what the SBOM includes is debatable. Timing for implementation is not decided. The full internal Node.js discussion on adding an SBOM for Node.js is available here: 

Node.js Security WG Initiatives

Creating Security Release issues is now automated. The new command manages all the states of a security release. It  includes CREATE. In the future, it will include requesting CVEs, creating issues, sending emails and more.

Node.js Security Sustainability

September was a month full of speaking engagements. We believe events like the ones listed below are an excellent opportunity to connect directly with the Node.js community and to get feedback and welcome outside contributors. We hope to meet you face-to-face in the near future!

  • “The State of Node.js Security”
    • Node.js Collab Summit, Bilbao, Spain, Sept 18th
  • “The Journey of Node.js Permission Model”
    • OpenSSF Day, Bilbao, Spain, Sept 18th
  • “Improving the security of a large open source project”
    • Open Source Summit EU, Bilbao, Spain, Sept 20th
  • “Node.js Project”
    • Grace Hopper Celebration Day, virtual, Sept 22th
  • “Improving the security of a large open source project”
    • OpenJS World, Shanghai, China, Sept 26th

Interested in getting involved with Node.js security? The new Permission Model is still experimental, which makes it the right time for you to try it. We are actively looking for new contributors. And, we’re super friendly! 🙂

Find out more about the Node.js Security Team here:

Node.js 21 Available Now!

By Announcement, Blog, Node.js

The release of Node.js 21 is available now! Node.js 21 replaces Node.js 20 as our current release line, and Node.js 20 is being promoted to long-term support (LTS). 

What’s the difference between the two releases? Node.js 21 is great for early feature testing for your own specific environment, while Node.js 20 LTS is for production deployments. Node.js 21 will be ‘Current’ release for the next 6 months, until April 2024. Here is our full Node.js release schedule.

​​Highlights in Node.js 21 include updates of the V8 JavaScript engine to 11.8, stable WebStreams, a new experimental flag to flip module defaults (–experimental-default-type), many updates to our test runner, and more!

“If you’re interested in getting access to interesting new features early, Node.js 21 is a great way to test and see what’s coming. Our release schedule specifically covers this. If you’re already in active deployment or if you are planning for it, Node.js 20 and 18 LTS are for you,” said Rafael Gonzaga, Node.js Technical Steering Committee (TSC) Member. “Many thanks to our open source contributors for making Node.js better and better. Thanks also to OpenSSF and Project Alpha Omega for helping us improve Node.js security.”

“Node.js demand among developers continues to grow as the need for reliable and scalable web applications rises. With Node.js 21, you can evaluate the current state of Node.js features directly,” said Michaël Zasso, member of the Node.js TSC. “As just one example, Node.js has had a stable test runner since Node.js 20. There’s no need to install a third-party module, and you can create test scripts easily. Node.js 21 includes many improvements to the test runner. Try it out!” 

Main updates for Node.js 21

  • V8 JavaScript engine updated to 11.8
  • Stable WebStreams which helps to process data in small sizes for browser applications
  • A new experimental flag to flip module defaults (–experimental-default-type) – Node.js has two module systems: CommonJS modules and ECMAScript modules. Node.js treats files with a .js extension by default as CommonJS modules. This can now more easily be flipped.
  • Many updates to test runner which allows users to run functional tests and export results
  • Full changes and commits here

Download Node.js 21 here and get started testing right away! More details can be found in the Node.js blog.

Join us in Shanghai for OpenJS World China

By Blog, Event

We’re excited to be at Open Source Summit in Shanghai, China from September 26-28! We have a great lineup of JavaScript speakers at the event, and we encourage you to join us on September 26. Details are below.

📅 Date: September 26, 13:30-16:30 PM

📍 Location: Shanghai Convention & Exhibition Center of International Sourcing

🚪 Room: 3M Room 3M5A

✏️ Register: Open Source Summit China


Improving the Security of a Large Open Source Project One Step at a Time

Rafael Silva, Nearform

Node-RED in Industrial IoT

Kazuhito Yokoi, Hitachi, LTD

New Electron Forge with Vite

Leo Wang, HelloBike

YodaOS JSAR: The Web Trio in the Era of Spatial Computing

Yazhong Liu, Rokid

Node.js Training Sale

In honor of OpenJS World, all Node.js training and certification will be 60% off! Use code OPENJSWORLD2023 at Linux Foundation Training and Certification.

Node.js Security Progress Report – 17 Reports Closed

By Blog, Node.js, Node.js Security

In June, we saw all of our Node.js security metrics trending in the right direction. Closed reports were up, average first response time was down (again), and much more. Our Threat Model is now being used regularly to help assess issues. And we are getting comments on our Security Model, which is the kind of interaction that makes processes robust. We’re not claiming victory, but this feels like progress.

As always, we want to say thank you to OpenSSF and Project Alpha Omega for their support. You can read more details about our partnership here: Security Support Role 2023.

Fixing and Triaging Security Issues

The Node.js team closed 17 reports in June which is a big increase from the 2 completed in May. We don’t expect the number of reports to increase linearly, but this still qualifies as a good month for improving Node.js security issues.

Also, Node.js team’s average first response time in June was 3 hours, compared to 8 in May. Remember our goal is average first response within 48 hours, so this is excellent. We’d like to extend special thanks to Tobias, Bradley and Rafael for their help as volunteer triagers!

A lot of effort was made to include all the fixes on time for the Node.js security release that went out on June 20, 2023. Last year, security releases came out about once per quarter, which was not frequent enough. We are looking to increase the frequency this year.

Support for Security Releases

Security Release coordination continues to improve. All the processes described by the security release process – multiple steps for planning, announcement one week in advance, and release day – were completed.

One big improvement is automation. For each security release, there used to be 26 steps and then 12 steps for the release itself. But with the OpenSSF investment, we have been able to dedicate time to automate, establish new processes, and streamline the workflow. Each version required all those steps (v20.3.1, v18.16.1, and v16.20.1). 

The most recent Security Release included updates of two Node.js dependencies: OpenSSL and c-ares. All the releases were sponsored by OpenSSF.

And there was one regular release of Node.js v20.3.0!

Node.js Security Working Group Initiatives

The Security Working Group is making progress on the 4 main initiatives for the Security Working Group Initiatives for 2023: Permission Model, Automate update dependencies, Assessment against best practices, and Automate Security release process. 

Permission Model – 2 Phase@RafaelGSSIn ProgressIssue #898
Automate update dependencies@marco-ippolitoDoneIssue #828
Assessment against best practices@fraxken/@ulisesGasconIn ProgressIssue #859
Automate Security release process@RafaelGSSIn ProgressIssue #860

Permission Model

For the Permission Model, 5 security fixes for CVEs were completed. Regular fixes and pull requests were also addressed.

The Security WG is actively looking for more feedback. If you are interested in helping to define the initiatives, please participate!

Automated Update Dependencies

The initiative has been completed, it was just missing backports. It is now ready to be merged! 🎉

Assessment Against Best Practices

The Security WG is continuously looking at best practices and doing improvement on each Security WG call. One area of effort is CII-Best-Practices for Node.js Projects. Node.js looked at this early, 7 years ago, which means we were forward looking, but it needs to be updated. 

Automate Security Release process

A PR has been created to automate the release proposal for security releases. The Security Release proposals were created using this automation

Connecting with us – Recent Speaking Engagements

Improving Security Processes

There is a new PR now to help create security issues. It automates GitHub issue creation. It should eventually manage all states of a security release. The PR includes a new command CREATE and there will be other PRs to manage  steps beyond CREATE, such as requesting CVEs, creating issues, sending emails and more.

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Be sure to join us for this month’s meetings:

Node.js Security Progress Report – First Response Time Down to 8 Hours, New Security Release Announced

By Blog, Node.js, Node.js Security

Last month, we reported that the first response time in April was down to 18 hours. For May, it dropped again, down to 8 hours. Our established goal is a 48-hour response time, making an 8 hour response time excellent. Real-world response time will likely fluctuate up and down some moving forward as we work through improving our processes including our new Permission Model and automation of dependencies and build processes. 

Beyond that, 5 reports were created in April and 2 were closed from May. In April, 6 hackers participated. This type of outside participation is extremely encouraging, thank you for your contributions!

We completed the first initiative from 2023 for automating dependencies. This will go a long way to creating security sustainability and we’re  working hard on automating the security release process itself. 

Big thanks to OpenSSF and Project Alpha Omega for their continued support. Partnership details are outlined here: Security Support Role 2023.

Support for Security Releases

The next security release is scheduled for June 20, 2023, and we are actively working on multiple security fixes. OpenSSL Security Release 29/05 came out and will be integrated into this release and the c-ares security release. 14 reports affecting different active release lines came out in May. More information here.

Three regular releases came out (v20.1.0, v20.2.0 and v20.3.0) and we’ve been focusing on coordinating upcoming releases, making sure there is clear alignment with the Node.js team and releasers, and creating and backporting fixes.

What’s a backport? Many security fixes are for the most recent version since this is the focus of attention. The goal is to create backport pull requests for previous versions at the same time. So, if we fix something in Node.js 20, there are fixes available for older versions, like Node.js 16, when needed.

Node.js Security Working Group Initiatives

There was good discussion about supporting environment variables as part of the Permission Model. The idea is to know explicitly what resources an application is accessing when it runs.

The current proposal is to add variable names into an allowlist using the –allow-env flag as shown below. Any variables not included in the allowlist will be inaccessible through process.env.

Assessment against security best practices to make progress. We are actively monitoring undici, node, and security-wg repositories. And we are improving the OSSF Scorecard undici that helps in our assessment in comparison with best practices.

Node.js Security Sustainability

Check out all of our recent speaking engagements:

We’re meeting with the Google Open Source Security Team to discuss the Permission Model. They’ve participated in our recent Security WG sessions, and we believe this is a positive step forward in helping with security sustainability.

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. 

Be sure to join us for this month’s meetings:

Node.js Security Progress Report – Automation, Automation and more Automation

By Blog, Node.js, Node.js Security

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies. 

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project. 

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process. 

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. 

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features. 

JavaScriptLandia Awards: Pathfinder for Security 

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform. 

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency. 

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings:

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed:

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!