English versionEN

The State of Node.js Security

I will provide an in-depth analysis of the initiatives led by the Node.js Security Team, exploring their significance and the benefits they bring to end-users. Since 2022, we've accomplished a lot of tasks and the goal of this talk is to showcase the concluded initiatives, highlighting the advancements made in fortifying the security of Node.js applications. Furthermore, I'll unveil what you can expect from upcoming releases, offering a glimpse into the future of Node.js security. From vulnerability management to secure coding practices and beyond, this talk will equip you with valuable insights into the measures taken to enhance protection and ensure a more secure Node.js environment.

This talk has been presented at Node Congress 2026, check out the latest edition of this JavaScript Conference.

FAQ

A Node.js vulnerability is a security flaw that falls within the boundaries defined by the Node.js threat model. It typically involves issues like HTTP request smuggling, timing attacks, or memory access violations, which Node.js should protect against.

Node.js vulnerabilities can be reported through HackerOne. If you believe you have found a vulnerability while fuzzing Node.js source code, you can send a report via HackerOne for review.

The Node.js threat model defines the boundaries for security within Node.js, specifying what is considered a vulnerability and what is not. It outlines Node.js' responsibility in protecting against certain threats and what developers must handle themselves.

No, prototype pollution is not considered a Node.js vulnerability. It is an issue that developers need to address by ensuring they install and use only trustworthy packages.

The '--FrozenIntrinsics' flag in Node.js is a precautionary measure that prevents modification of prototypes of native or primitive data, acting as a seatbelt but not a complete security measure.

The Node.js permission model restricts access to your app's file system, child processes, worker threads, and network. It requires specifying allowed read/write access, acting as a seatbelt to prevent unauthorized actions by potentially malicious packages.

Examples of real Node.js vulnerabilities include HTTP request smuggling, timing attacks, memory access violations, and DNS rebinding. These are issues that Node.js should protect against.

Upgrading to the latest Node.js version ensures you receive security patches and updates, protecting against vulnerabilities that older, unsupported versions may not cover.

The 'npx isMyNodeVulnerable' tool checks if you are using a secure version of Node.js. It indicates if your Node.js version is outdated and vulnerable, helping you maintain security.

Node.js issues security releases to address vulnerabilities. The process involves automating release tasks, running extensive tests, and ensuring compatibility across various environments. Security releases are documented in blog posts on the Node.js website.

node.js security

Rafael Gonzaga

27 min

26 Mar, 2026

Comments

Video Summary and Transcription

Introducing Node.js security overview, defining vulnerabilities, non-vulnerabilities, and preventive measures. Discussing Node.js API input validation, real vulnerabilities like HTTP server crashes, and the importance of Node.js security in widely used platforms. Discussing the importance of Node.js maintenance, the introduction of experimental permissions in Node.js 20, and the seatbelt philosophy to protect against malicious code. Discussing the importance of maintaining up-to-date Node.js versions and using tools like npx isMyNodeVulnerable for security checks. Discussing the importance of Node.js security releases, funding, and dependency vulnerability assessment for a safer Node.js environment. Using Node.js Dependency Vulnerability Assessment to evaluate and address potential vulnerabilities, ensuring automated security checks and updates for a safer Node.js environment. Automating Node.js security release process, including configuration files for dependencies, extensive testing across various environments, and creating security release issues and blog posts automatically. Support for various environments, extensive testing with over 55 suites and 5,000 unit tests, automation efforts to streamline processes, and the establishment of a maintenance threat model for enhanced security measures. For a single pull request, it takes six hours to run tests, automation efforts in progress, maintenance threat model to address security risks, permission model roadmap, ongoing discussions on security reports, and plans for the Node.js Collaborator Summit. Active community involvement in Node.js security development, four security releases from 2024 to 2026 addressing various vulnerabilities, end-of-life version strategy with Node.js 16 and 18 having high weekly downloads, and the approach to issuing CVEs for end-of-life versions. Node.js project's strategy adjustment for CVEs to include end-of-life versions, importance of Node.js threat model, trust boundaries, and developer responsibilities. Node.js protection against network data, upgrade recommendations for different Node.js versions, and upcoming changes in Node.js release schedule.

Available in Español: El Estado de la Seguridad de Node.js

Video transcription and chapters available for users with access.

Available in other languages:

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Node Congress 2022

26 min

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Top Content

Feross Aboukhadijeh

Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects

The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.

node.js security

ESM Loaders: Enhancing Module Loading in Node.js

JSNation 2023

22 min

ESM Loaders: Enhancing Module Loading in Node.js

Top Content

Gil Tayar

Microsoft, Israel

ESM Loaders enhance module loading in Node.js by resolving URLs and reading files from the disk. Module loaders can override modules and change how they are found. Enhancing the loading phase involves loading directly from HTTP and loading TypeScript code without building it. The loader in the module URL handles URL resolution and uses fetch to fetch the source code. Loaders can be chained together to load from different sources, transform source code, and resolve URLs differently. The future of module loading enhancements is promising and simple to use.

node.js

The State of Node.js 2025

JSNation 2025

30 min

The State of Node.js 2025

Top Content

Matteo Collina

Node.js TSC committee member. Pino & Fastify author.

The speaker covers a wide range of topics related to Node.js, including its resilience, popularity, and significance in the tech ecosystem. They discuss Node.js version support, organization activity, development updates, enhancements, and security updates. Node.js relies heavily on volunteers for governance and contribution. The speaker introduces an application server for Node.js enabling PHP integration. Insights are shared on Node.js downloads, infrastructure challenges, software maintenance, and the importance of update schedules for security.

node.js

Towards a Standard Library for JavaScript Runtimes

Node Congress 2022

34 min

Towards a Standard Library for JavaScript Runtimes

Top Content

James Snell

Workers team @Cloudflare

There is a need for a standard library of APIs for JavaScript runtimes, as there are currently multiple ways to perform fundamental tasks like base64 encoding. JavaScript runtimes have historically lacked a standard library, causing friction and difficulty for developers. The idea of a small core has both benefits and drawbacks, with some runtimes abusing it to limit innovation. There is a misalignment between Node and web browsers in terms of functionality and API standards. The proposal is to involve browser developers in conversations about API standardization and to create a common standard library for JavaScript runtimes.

javascript component library node.js

Out of the Box Node.js Diagnostics

Node Congress 2022

34 min

Out of the Box Node.js Diagnostics

Colin Ihrig

Member of the Node.js Technical Steering Committee

This talk covers various techniques for getting diagnostics information out of Node.js, including debugging with environment variables, handling warnings and deprecations, tracing uncaught exceptions and process exit, using the v8 inspector and dev tools, and generating diagnostic reports. The speaker also mentions areas for improvement in Node.js diagnostics and provides resources for learning and contributing. Additionally, the responsibilities of the Technical Steering Committee in the TS community are discussed.

node.js

The State of Passwordless Auth on the Web

JSNation 2023

30 min

The State of Passwordless Auth on the Web

Phil Nash

Developer relations engineer at IBM

Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.

security authentication

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs

JSNation US 2024

148 min

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs

Featured Workshop

Gregor Biswanger

In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.

security testing security

Building a RAG System in Node.js: Vector Databases, Embeddings & Chunking

Node Congress 2025

98 min

Building a RAG System in Node.js: Vector Databases, Embeddings & Chunking

Featured Workshop

2 authors

Large Language Models (LLMs) are powerful, but they often lack real-time knowledge. Retrieval-Augmented Generation (RAG) bridges this gap by fetching relevant information from external sources before generating responses. In this workshop, we’ll explore how to build an efficient RAG pipeline in Node.js using RSS feeds as a data source. We’ll compare different vector databases (FAISS, pgvector, Elasticsearch), embedding methods, and testing strategies. We’ll also cover the crucial role of chunking—splitting and structuring data effectively for better retrieval performance.Prerequisites- Good understanding of JavaScript or TypeScript- Experience with Node.js and API development- Basic knowledge of databases and LLMs is helpful but not required
Agenda📢 Introduction to RAG💻 Demo - Example Application (RAG with RSS Feeds)📕 Vector Databases (FAISS, pgvector, Elasticsearch) & Embeddings🛠️ Chunking Strategies for Better Retrieval🔬 Testing & Evaluating RAG Pipelines (Precision, Recall, Performance)🏊‍♀️ Performance & Optimization Considerations🥟 Summary & Q&A

node.js database

Build a MCP (Model Context Protocol) in Node.js

JSNation US 2025

97 min

Build a MCP (Model Context Protocol) in Node.js

Featured Workshop

Julián Duque

Model Context Protocol (MCP) introduces a structured approach to LLM context management that addresses limitations in traditional prompting methods. In this workshop, you'll learn about the Model Context Protocol, its architecture, and how to build and use and MCP with Node.jsTable of Contents:What Is the Model Context Protocol?Types of MCPs (Stdio, SSE, HTTP Streaming)Understanding Tools, Resources, and PromptsBuilding an MCP with the Official TypeScript SDK in Node.jsDeploying the MCP to the Cloud (Heroku)Integrating the MCP with Your Favorite AI Tool (Claude Desktop, Cursor, Windsurf, VS Code Copilot)Security Considerations and Best Practices

node.js

Node.js Masterclass

Node Congress 2023

109 min

Node.js Masterclass

Top Content

Workshop

Matteo Collina

Have you ever struggled with designing and structuring your Node.js applications? Building applications that are well organised, testable and extendable is not always easy. It can often turn out to be a lot more complicated than you expect it to be. In this live event Matteo will show you how he builds Node.js applications from scratch. You’ll learn how he approaches application design, and the philosophies that he applies to create modular, maintainable and effective applications.

Level: intermediate

node.js

Build and Deploy a Backend With Fastify & Platformatic

JSNation 2023

104 min

Build and Deploy a Backend With Fastify & Platformatic

Top Content

WorkshopFree

Matteo Collina

Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/).
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.

node.js cloud graphql fastify

Building a Hyper Fast Web Server with Deno

JSNation Live 2021

156 min

Building a Hyper Fast Web Server with Deno

Top Content

Workshop

2 authors

Deno 1.9 introduced a new web server API that takes advantage of Hyper, a fast and correct HTTP implementation for Rust. Using this API instead of the std/http implementation increases performance and provides support for HTTP2. In this workshop, learn how to create a web server utilizing Hyper under the hood and boost the performance for your web apps.

node.js deno backend