GitHub to Update npm to Thwart Software Supply Chain Attacks
NPM, part of GitHub, announced a new version of the npm package manager with several security improvements, including disabling install scripts
Node.js security covers vulnerabilities, dependency risks, and runtime defenses that can affect server-side applications and their data.
Search across headline titles and summaries.
Background for this topic.
Node.js is an open-source, cross-platform runtime that executes JavaScript outside a web browser, using Google’s V8 engine. Its event-driven, non-blocking input/output model is widely used for web servers, APIs, command-line tools, and backend services. The runtime is not itself an application framework; security outcomes depend substantially on the code and modules running within it.
Security concerns include vulnerabilities in the Node.js runtime, insecure application logic such as injection or server-side request forgery, and risks from the large npm dependency ecosystem. Malicious or compromised packages, unsafe install scripts, transitive dependencies, and prototype-pollution flaws can expand an application’s attack surface. Practitioners should track runtime and package advisories, use lockfiles and dependency review, restrict package-install and process permissions where practical, validate untrusted input, and protect credentials and session data. During incidents, dependency inventories and build records help determine whether a vulnerable module or runtime was deployed.
NPM, part of GitHub, announced a new version of the npm package manager with several security improvements, including disabling install scripts
GitHub has announced what it said are "breaking changes" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats
GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command. [...]
Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors
Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks