Hacker News new | ask | show | jobs
Node.js security advisories (nodesecurity.io)
40 points by nodejs-news 4667 days ago
5 comments
troygoode 4667 days ago
I like the idea of having a centralized repository of these advisories, but I need a better way of watching for changes for this to be effective. I was hoping that the Twitter feed would be that (I would just turn on SMS notification), but the Twitter feed is full of general low-value tweets like "Thanks @espreto for being our 1000th follower!". Perhaps a separate Twitter feed could be created (@nodesecurityadvisories?) that only tweets when new advisories are posted on the site?
link
viraptor 4667 days ago
I think the security checker from Sensio labs is the best approach to this. You can upload your composer file, which is really the list of packages you use and they'll check it against the known reports for various Symfony modules. It's got both the API and its own module with a CLI tool, so you can easily integrate it into monitoring. https://security.sensiolabs.org/

I really wish other projects had something like that (rubygems, pypi, etc.)

link
kibibyte 4666 days ago
There actually does exist one for Ruby. Check out gemcanary https://gemcanary.com/
link
gravis 4666 days ago
and https://gemnasium.com (which supports npm as well)
link
atishay811 4667 days ago
Can't this be made simpler. Something like a cli call npm vulnerable This could take the package.json and list which of my packages need to be upgraded or downgraded to be secure as per the known issues database.
link
malandrew 4666 days ago
it could also be run automatically when cd-ing into a directory by overriding the default cd

    cd() {
      builtin cd $*
      if [ -f "package.json" ] ; then
        npm check-vulnerabilities
      fi
    }
I reckon you could also use this with david[0] to check if packages are up to date.

[0] https://github.com/alanshaw/david

link
atishay811 4666 days ago
I did not mean outdated. npm outdated can do that. See https://npmjs.org/doc/cli/npm-outdated.html I was looking insecure version of the same through a public repo.
link
brokenparser 4666 days ago
That's brilliant, but the search operates on titles, the /package/:name route appears to be broken and there's no RSS. I give up.
link
nodejs-news 4667 days ago
At least a RSS stream will be needed ?!
link
state 4666 days ago
That connect vulnerability is pretty significant. Makes me pay attention despite the fact there's no way to syndicate the feed.
link
AsymetricCom 4666 days ago
How does node.js have security advisories? Isn't the fact that it's built on top of JavaScript kind of throw the idea of security out the window to start with? Shouldn't we start with JavaScript security advisories first?

Honest question, have you ever seen a public Javascript security advisory?

link
cleverjake 4666 days ago
>> Isn't the fact that it's built on top of JavaScript kind of throw the idea of security out the window to start with

No.

>> Shouldn't we start with JavaScript security advisories

Its a language, not a specific implementation of a language. Chromes javascript engine is what would have security vulnerabilities, no javascript itself.

This isn't security advisories for node itself, it is for node modules. the node security project is auditing all of the modules in npm for security issues, and posting about them there.

link
AsymetricCom 4666 days ago
>> Its a language, not a specific implementation of a language.

It's not even that, it's a dialect of ECMAScript.

link