I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.
The Node Security team is excited to announce version 3.0.0 of the nsp CLI tool.
Get it by running npm i nsp@next
npm i nsp@next
This release marks the 3rd major iteration of the CLI. While the changes mentioned below may seem minor the entire CLI was…
Recently a Regular Expression Denial of Service issue was reported on the content repository, a part of the hapi framework. The issue has been removed as of the writing of this post, but I can tell you that it reported a pair of regular expressions…
Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers…
Today marks the 4th birthday of the Node Security Project. During that time we accomplished a lot, failed more than a few times, and inspired many developers to make security an important part of their discipline. The conversations that I’ve been able to have with many of you at…
Last year I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack…
This last week we snuck in a new feature to nsp Live; the quick fix security button. This feature intends to remove the chore of figuring out what dependencies you need to update to what versions to fix a particular vulnerability.
