はてなブックマーク

JavaScript runtimes help you build advanced, server-driven JavaScript projects that aren't dependent on the user's browser to run. There are several choices of runtimes available, with the supremacy of the old stalwart Node.js being challenged by Deno and Bun. Deno is the latest project produced by the same developer who originally created Node.js, Ryan Dahl, back in 2009. Deno aims to improve its

Snyk has checked our own systems and tools for usage of OpenSSL v3. We identified that the Snyk Broker, versions 4.127.0 to 4.134.0, uses an affected version of OpenSSL 3.0, and should be upgraded to version 4.135.0 or newer. Snyk Broker enables customers to integrate supported internal SCM platforms with Snyk. On Oct 25, 2022, the OpenSSL project announced a forthcoming release of OpenSSL (versio

This post, originally published on October 18, 2022, has been updated to show how Snyk can help you establish secure JavaScript URL validation. When developers need to handle URLs in different forms for different purposes — such as browser history navigation, anchored targets, query parameters, and so on — we often turn to JavaScript. However, its frequent use motivates attackers to exploit its vu

Updated to include Chainguard Distroless Image for Node.js. (August 31, 2023) Updated recommended Node.js version, examples and vulnerability scan results to reflect the up-to-date Node.js LTS releases. Choosing a Node.js Docker image may seem like a small thing, but image sizes and potential vulnerabilities can have dramatic effects on your CI/CD pipeline and security posture. So, how do you choo

Technology is always changing and your processes and practices need to keep up with those changes. So while npm is 12 years old, your practices around npm package creation should hopefully be a lot more modern. If you have a feeling they may be a little out of date, though, keep reading. In this tutorial, we’re going to walk step by step through creating an npm package using modern best practices

On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing what can only be described as a supply chain attack impacting the npm ecosystem. This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package. This security incident involves destructive acts of corrupting files

On January 8, 2022, the open source maintainer of the wildly popular npm package colors, published colors@1.4.1 and colors@1.4.44-liberty-2 in which they intentionally introduced an offending commit that adds an infinite loop to the source code. The infinite loop is triggered and executed immediately upon initialization of the package’s source code, and would result in a Denial of Service (DoS) to

We have been witnessing an ever growing amount of supply chain security incidents in the wild. Everything from open source package managers security flaws being exploited to continuous integration systems being compromised to software artifacts being backdoored. And now, those incidents are starting to extend to the place where developers spend most of their time: their integrated development envi

To stay ahead of attackers, we constantly monitor various security threats. One of these threats — supply chain attacks — aims to compromise an organization through its software development process. Recently, a huge spike in supply chain attacks was observed — dependency confusion was discovered, the SolarWinds breach was reported and more malicious packages were flagged. This certainly drew our a

Popularity Understand the prevalence of an open source package using metrics such as downloads and source code repository stars to measure popularity. Maintenance Get insights about an open source dependency health and assess the sustainability of the project. Security Quickly assess the security posture of an open source project and its past versions. Further connecting your project with Snyk wil

September 14, 2022: Check out our new and improved cheat sheet for containerizing Node.js web applications with Docker! Are you looking for best practices on how to build Node.js Docker images for your web applications? Then you’ve come to the right place! The following article provides production-grade guidelines for building optimized and secure Node.js Docker images. You’ll find it helpful rega

During the day, I spend my time analyzing Terraform code, Kubernetes object configuration files, and identifying common security issues. When the sun sets, I put on my hoodie, fire up Linux VMs and debuggers to look under the hood of technologies that make up the cloud native ecosystem. In this post, we will explore how Kubernetes container isolation impacts privilege escalation attacks. We will u

The date on this post reflects its latest update. This post was originally published on October 28, 2020. Looking for the best ways to secure your React app? Then you’ve come to the right place! We’ve created this checklist of React security best practices to help you and your team find and fix security issues in your React applications. We’ll also show you how to automatically test your React cod

On the 11th of December, 2019 a security vulnerability which extends to all major JavaScript package managers (npm, yarn and pnpm) was publicly disclosed. This vulnerability, discovered by security researcher Daniel Ruf, allows malicious actors to apply varied tactics of arbitrary file overwrites. In this article: How do Node.js command line packages work? How does this security vulnerability affe

Welcome to Snyk's State of JavaScript frameworks security report 2019. In this report, we investigate the state of security for both the Angular and React ecosystems. This report by no means intends to venture into any rivalries that may exist between the two in terms of whether one or the other is a true framework - we are not comparing them as competitive frameworks at all. Instead, we review th

I recently started playing around with the idea of threat modeling packages on the npm ecosystem. Can an event-stream incident happen again? How about other supply chain attacks? What will be the next vector of attack that we haven’t seen yet and might it be entirely preventable? And then, one day I had a eureka! ? Let me show you how easy it is to introduce back doors that are easily missed by pr

On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team. UPDATE: lodash published version 4.17.12 on July 9th which includes Snyk fixes and remediates the vulnerability. We strongly recommend you update to the latest version of lodash

On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. Version 3.2.0.3 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications. We have already added the vulnerability to our database, and if your project is bei

A recent experimental feature for introducing integrity policies landed in Node.js core 11.8.0. This capability, shipped in non LTS version yet, provides integrity checks for a Node.js runtime when modules are being loaded, in order to verify that the modules code haven’t been tampered with. Bradley Farias introduced this change in October 2018 and borrowed the idea from a similar security feature

What is package-lock.json?In this article, we will discuss both npm's package lock file `package-lock.json` as well as Yarn's `_yarn.lock`. Package lock files serve as a rich manifest of dependencies for projects that specify the exact version of dependencies to be installed, as well as the dependencies of those dependencies, and so on — to encompass the full dependency tree. A package lock file i

ProductsProducts What is Snyk? Developer-first security in action

ProductsProducts What is Snyk? Developer-first security in action

ProductsProducts What is Snyk? Developer-first security in action

ProductsProducts What is Snyk? Developer-first security in action

ProductsProducts What is Snyk? Developer-first security in action

ProductsProducts What is Snyk? Developer-first security in action

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, R