Improve Security of node_modules and package.json Resolution · Issue #43192 · nodejs/node
What is the problem this feature will solve? It is easy to accidentally allow another user to influence what code node loads and executes. Details can be found at HackerOne reports 1564437 (CommonJS module loading), 1564444 (ECMAScript module resolution), and 1564445 (package.json). While these behaviors are documented, the security implications are easy to overlook. Insecure patterns around these
Permission Model · Issue #791 · nodejs/security-wg
Permission Model initial issue Hello everybody! Following up on the Security Model initiative and the Mini summit (Next-10) in April seems and consensus that Node.js aims to have a security permission system, thus, avoiding third-party libraries to access machine resources without user consent. This system was previously researched by James Snell and Anna Henningsen[1], which resulted in an excell
A walk through Project Zero metrics
Posted by Ryan Schoen, Project Zero tl;drIn 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 20
Core:Manipulation: Add basic TrustedHTML support by mgol · Pull Request #4927 · jquery/jquery
Summary This ensures HTML wrapped in TrustedHTML can be used as an input to jQuery manipulation methods in a way that doesn't violate the require-trusted-types-for Content Security Policy directive. This commit builds on previous work needed for trusted types support, including gh-4642 and gh-4724. One restriction is that while any TrustedHTML wrapper should work as input for jQuery methods like .
1567114 - MITM on all HTTPS traffic in Kazakhstan
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Steps to reproduce: Since today all Internet providers in Kazakhstan started MITM on all encrypted HTTPS traffic. They asked end-users to install government-issued certificate authority on all devices in every browser: http://qca.kz/ Actual results: MITM attack: https://i.imgur.com/rFEjXKw.jpg Message from Int
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
security: fix DOM clobbering in auto public path by alexander-akait · Pull Request #18700 · webpack/webpack
LavaDome is vulnerable to onmouseover · Issue #37 · LavaMoat/LavaDome
Discontinued · Issue #533 · patriksimek/vm2
feat: add shell access to auto-gpt command loop by esgoode · Pull Request #135 · Significant-Gravitas/AutoGPT
Define a policy container · Issue #4926 · whatwg/html
GitHub - BugAlertDotOrg/bugalert
[spec] Normative: Support [Serializable] for WebAssembly.Module by littledan · Pull Request #711 · WebAssembly/spec
Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2
Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js · Issue #536 · faisalman/ua-parser-js
Support single string input without using the `shell` option by ehmicky · Pull Request #182 · sindresorhus/execa
Help, `npm audit` says I have a vulnerability in react-scripts! · Issue #11174 · facebook/create-react-app
Sandbox mode for external scripts · Issue #1639 · denoland/deno
Warn for javascript: URLs in DOM sinks by sebmarkbage · Pull Request #15047 · facebook/react
Cross-site loads of signed packages should be done stateless and with no personalization · Issue #423 · WICG/webpackage
Suggestion: Provide standards around integrity between source code and published package · Issue #77 · nodejs/package-maintenance