Managing Node.js Docker images in GitHub Packages using GitHub Actions

If you’re doing open source development today, chances are high that you’re active within the GitHub community — participating in open source projects and their repositories. A recent addition to the GitHub ecosystem is GitHub Packages, which was announced back in 2019 and is now receiving even more updates with the general availability of the GitHub Packages container registry.


Snyk takes on responsibility for Node.js ecosystem vulnerability disclosure program

As announced last week by our good friends at the Node.js Foundation, Snyk has agreed to take over from the amazing Node.js ecosystem vulnerability disclosure program. As a company that’s been part of this program from a very early stage — and has been inspired by it to create our own multi-ecosystem disclosure program — it is a great honor to have been entrusted with this responsibility, and we thank the Node.js Foundation sincerely for their trust in this matter.


Snyk uncovers malicious code activities in open source supply chain security on the npm registry

Open source helps developers build faster. But who’s making sure these open source dependencies (sometimes years out of development) stay secure? In a recent npm security research activity, Snyk uncovered a total of 8 npm packages which matched a specific malicious code vector of attack. This specific attack vector of the malicious packages included packages which had pre/post install scripts, which allowed them to run arbitrary commands when installed.


5 ways to prevent code injection in JavaScript and Node.js

Writing secure code in a way that prevents code injection might seem like an ordinary task, but there are many pitfalls along the way. For example, the fact that you (a developer) follow best security practices doesn’t mean that others are doing the same. You’re likely using open source packages in your application. How do you know if those were developed securely? What if insecure code like eval() exists there? Let’s dive into it.


Preventing SQL injection in Node.js (and other vulnerabilities)

The database is an essential part of a web application. It’s where you receive and store users’ data, which you can then use to provide personalized services. As such, database security is an important part of every web application to ensure the safety and integrity of data collected from users. In this post, we’ll be looking at SQL database vulnerabilities in Node.js, like SQL injection, and how to prevent them.


Experimenting with remote debugging: Node.js runtime code injection

Remote debugging is fun to play around with. This article describes a method to dynamically change the behavior of a running Node.js process by enabling the remote inspector interface and then use the Chrome debug protocol. On Linux and MacOS, it is possible to send a SIGUSR1 signal to a running Node.js process. The process will open a websocket server listening on local interfaces only.


Docker for Node.js developers: 5 things you need to know not to fail your security

Docker is totalling up to over 50 billion downloads of container images. With millions of applications available on Docker Hub, container-based applications are popular and make an easy way to consume and publish applications. That being said, the naive way of building your own Docker Node.js web applications may come with many security risks. So, how do we make security an essential part of Docker for Node.js developers?


Top 11 Node.js security best practices

Node.js is extremely popular nowadays, primarily as a backend server for web applications. However, in the world of microservices, you can find it pretty much everywhere, playing different and important roles in a bigger application stack. One of the advantages of Node.js is the ability to install additional modules, which from the security point of view, provides more opportunities to open back doors.


Using Node.js Async Hooks to Monitor API performance.

Async hooks are one of those Node.js features that seem interesting when you first see them, but in practice they end up failing to provide overtly obvious use cases. At their core, async hooks are a way to step into the lifecycle of any asynchronous resource. This may be a promise, a timeout, streams, DNS lookups, and even HTTP requests—like API calls. Most examples are focused on tracking the execution context or enhancing asynchronous stack traces.