4 years of Node Security

Today marks the 4th birthday of the Node Security Project. During that time we accomplished a lot, failed more than a few times, and inspired many developers to make security an important part of their discipline. The conversations that I’ve been able to have with many of you at conferences about things you’ve learned or bugs you’ve found are some of my favorite memories.

To celebrate I wanted to highlight some of the achievements along the way.

• Released nsp, the first CLI tool to check for known vulnerabilities, which has had 2,772,324 downloads
• david-dm.org was the first third-party site to integrate the nsp advisory data.
• Released the Node Security Platform to allow quick and easily integration of the nsp data via API.
• Was the first security integration added to npm Enterprise
• Had the nsp security data integrated into npm search
  npm search whatever not:insecure
• Established a partnership with Gemnasium to source node security data for their SaaS and Enterprise products.
• Performed more than 20 million security checks (since we started counting a year ago)
• Released a set of ESLint Rules that can help identify some Node.js security hotspots.
• Curated 314 advisories, many of those contributions from the community (thank you) and the others from our own research.

and finally we announced that we would be donating the nsp advisory data to the Node.js Foundation.

So what’s next for the Node Security Platform?

While the foundation working group is being established to curate and manage the advisory data we are going to focus on pushing beyond simple known vulnerabilities checks.

Security is a process and we’re going to give you the tools and talent to support you in that process. We’re also working to give you access to the tools and information we have as researchers so you can dig around and find something great.

From all of us on the Node Security Platform team, we thank you for helping make the last 4 years a success. ❤