Node Security

npm Registry Spelunking: Dependencies Referenced by URL

I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.

Why you should move from nsp cli to nodesecurity.io?

The Most Common XSS Vulnerability in React.js Applications

If you’ve copied the renderFullPage…

npm Acquires ^Lift Security and the Node Security Platform

Potential DoS using lodash/underscore collection methods over user inputs

JavaScript is a magical language. Functions are objects, and objects can have new properties added on the fly. Compilers optimize the code to run it very fast. Even more magic is available with a single…

What Are The Bots Up To On npm?

Last year I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack…

Removing The Security Chore of Identified Vulnerabilities

This last week we snuck in a new feature to nsp Live; the quick fix security button. This feature intends to remove the chore of figuring out what dependencies you need to update to what versions to fix a particular vulnerability.