Open in app
Sign inGet started
Go to the profile of npm, Inc.
npm, Inc. in Node Security

npm Acquires ^Lift Security and the Node Security Platform

Read more…
Go to the profile of Adam Baldwin
Adam Baldwin in Node Security

npm Registry Spelunking: Dependencies Referenced by URL

I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.

Read more…
1 response
Go to the profile of Adam Baldwin
Adam Baldwin in Node Security

Announcing nsp 3.0.0

The Node Security team is excited to announce version 3.0.0 of the nsp CLI tool.

Get it by running npm i nsp@next

This release marks the 3rd major iteration of the CLI. While the changes mentioned below may seem minor the entire CLI was…

Read more…
Go to the profile of Nathan LaFreniere
Nathan LaFreniere in Node Security

Finding and fixing ReDoS in the hapi framework

Recently a Regular Expression Denial of Service issue was reported on the content repository, a part of the hapi framework. The issue has been removed as of the writing of this post, but I can tell you that it reported a pair of regular expressions…

Read more…
Go to the profile of Adam Baldwin
Adam Baldwin in Node Security

Pull Requests Welcome: We need your help to fix some ReDoS vulnerabilities

Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers…

Read more…
Go to the profile of Adam Baldwin
Adam Baldwin in Node Security

4 years of Node Security

Today marks the 4th birthday of the Node Security Project. During that time we accomplished a lot, failed more than a few times, and inspired many developers to make security an important part of their discipline. The conversations that I’ve been able to have with many of you at…

Read more…
Go to the profile of syrnick
syrnick in Node Security

Potential DoS using lodash/underscore collection methods over user inputs

JavaScript is a magical language. Functions are objects, and objects can have new properties added on the fly. Compilers optimize the code to run it very fast. Even more magic is available with a single…

Read more…
2 responses
Go to the profile of Emelia Smith
Emelia Smith in Node Security

The Most Common XSS Vulnerability in React.js Applications

If you’ve copied the renderFullPage…

Read more…
21 responses
Go to the profile of Adam Baldwin
Adam Baldwin in Node Security

What Are The Bots Up To On npm?

Last year I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack…

Read more…
3 responses
Go to the profile of Adam Baldwin
Adam Baldwin in Node Security

Why you should move from nsp cli to nodesecurity.io?

Read more…
About
Node Security
Node Security
Node Security is now at npm, Inc. helping to build a range of security products.
More information
Followers
1K
Elsewhere