The founder of the Node Security Project says Node.js still has common vulnerabilities, but progress has been made to make it more secure.
Appearing at the recent Node Community Convention in San Francisco, project founder Adam Baldwin, chief security officer at Web consulting company &yet, emphasized risks, protections, and progress.
Baldwin sees four risks within the Node ecosystem pertinent to the enterprise: the code dependency tree, bugs, malicious actors, and people. "I think of [the dependency tree] more as the dependency iceberg, to be honest," Baldwin said, "where your code is the ship and your dependencies that you have with your packaged JSON is that little tiny iceberg at the top." But developers need to be aware of the "massive" iceberg underneath, he stressed.
The third risk and fourth risk categories -- malicious actors and people -- are closely related. The former deliberately upload malicious code, and the Node Security Project has an effort afoot to detect those modules, Baldwin said. With the latter, people, there may or may not be a malicious actor in the creation of modules. "I trust these people will write good code or at least not have malicious intent for my project," said Baldwin. The point is not that people are untrustworthy or will write bad code, but the organization as a whole bears risk for bad security habits.
Baldwin offered risk mitigation strategies involving moving to npm onsite, auditing, white-listing modules, using the Node Security Project command-line tool, and changing passwords. As a general rule, Baldwin recommended that users "treat confidential information that you are in possession of with respect."
The Node.js Foundation, which oversees the platform's development, recently disclosed two vulnerabilities, including a denial-of-service risk. Patches were released roughly a week later. Developers also should report security issues.