

Node.js security advisories - nodejs-news
https://nodesecurity.io/advisories

======
troygoode
I like the idea of having a centralized repository of these advisories, but I
need a better way of watching for changes for this to be effective. I was
hoping that the Twitter feed would be that (I would just turn on SMS
notification), but the Twitter feed is full of general low-value tweets like
"Thanks @espreto for being our 1000th follower!". Perhaps a separate Twitter
feed could be created (@nodesecurityadvisories?) that only tweets when new
advisories are posted on the site?

~~~
viraptor
I think the security checker from Sensio labs is the best approach to this.
You can upload your composer file, which is really the list of packages you
use and they'll check it against the known reports for various Symfony
modules. It's got both the API and its own module with a CLI tool, so you can
easily integrate it into monitoring.
[https://security.sensiolabs.org/](https://security.sensiolabs.org/)

I really wish other projects had something like that (rubygems, pypi, etc.)

~~~
kibibyte
There actually does exist one for Ruby. Check out gemcanary
[https://gemcanary.com/](https://gemcanary.com/)

~~~
gravis
and [https://gemnasium.com](https://gemnasium.com) (which supports npm as
well)

------
atishay811
Can't this be made simpler. Something like a cli call npm vulnerable This
could take the package.json and list which of my packages need to be upgraded
or downgraded to be secure as per the known issues database.

~~~
malandrew
it could also be run automatically when cd-ing into a directory by overriding
the default cd

    
    
        cd() {
          builtin cd $*
          if [ -f "package.json" ] ; then
            npm check-vulnerabilities
          fi
        }
    

I reckon you could also use this with david[0] to check if packages are up to
date.

[0] [https://github.com/alanshaw/david](https://github.com/alanshaw/david)

~~~
atishay811
I did not mean outdated. npm outdated can do that. See
[https://npmjs.org/doc/cli/npm-outdated.html](https://npmjs.org/doc/cli/npm-
outdated.html) I was looking insecure version of the same through a public
repo.

------
nodejs-news
At least a RSS stream will be needed ?!

------
state
That connect vulnerability is pretty significant. Makes me pay attention
despite the fact there's no way to syndicate the feed.

------
AsymetricCom
How does node.js have _security_ advisories? Isn't the fact that it's built on
top of JavaScript kind of throw the idea of security out the window to start
with? Shouldn't we start with _JavaScript security advisories_ first?

Honest question, have you ever seen a public Javascript security advisory?

~~~
cleverjake
>> Isn't the fact that it's built on top of JavaScript kind of throw the idea
of security out the window to start with

No.

>> Shouldn't we start with JavaScript security advisories

Its a language, not a specific implementation of a language. Chromes
javascript engine is what would have security vulnerabilities, no javascript
itself.

This isn't security advisories for node itself, it is for node modules. the
node security project is auditing all of the modules in npm for security
issues, and posting about them there.

~~~
AsymetricCom
>> Its a language, not a specific implementation of a language.

It's not even that, it's a dialect of ECMAScript.

