This is a blog mirror of Snyk’s State of JavaScript frameworks security report 2019.

In this section, we review the security risk of the indirect independencies for both Angular and React, and then we also review the direct dependencies, first for Angular and then for React.

The modules reviewed in this part do not represent a complete list of vulnerable React and Angular modules; some modules may have special naming conventions (such as all modules prefixed , , or for example) that would not appear in the pattern-based search we conducted.

The security risk of indirect dependencies

More often than not, projects based on React or…

As a follow-up to Snyk’s State of JavaScript frameworks security report 2019, this section of the report is about Angular and React projects overall security posture.

The full report is available here:

In this section, we explore both the Angular and the React project security postures. This includes secure coding conventions, built-in in secure capabilities, responsible disclosure policies, and dedicated security documentation for the project.

The following table lays out a few of the security components we found to be essential for best-practice maintenance of any open source package, and an indication of how Angular and React manage said…

This article is from Snyk’s State of JavaScript frameworks security report 2019. In this blog post we’ll review security vulnerabilities found in other frontend ecosystem projects.

After reviewing Angular and React as major JavaScript frameworks, we’ll take a brief review of selected JavaScript and CSS frameworks: Vue.js, jQuery and Bootstrap.

The state of JavaScript frameworks security report 2019 | Snyk

jQuery security

jQuery took web development by storm a decade ago but since then web development have been revolutionized further with single page application technologies such as Angular, and React. …

In the State of Open Source Security Report 2019, we set out to measure the pulse of the open source security landscape throughout the different language ecosystems and have analyzed responses from over five hundred open source maintainers and users who provided us with insights into their processes and knowledge of open source security risks as well as the skill level of the average maintainer.

In addition to gaining insights from survey takers, we also analyzed data from multiple public and private sources, including Snyk’s own vulnerability database, to evaluate how security issues differ across languages, how fast it takes…

It is likely you experienced the painful situation of deploying to production only to find out that an API service you integrate with has broken the contract. How can we effectively ensure this does not happen?

Whether Monoliths or Microservices, it is likely that your architecture now or in the future will evolve to include API interactions between autonomous services in your infrastructure.

When a Service Oriented Architecture shapes-up (i.e: microservices), there is a high level of importance of testing these API interactions in order to add a layer of confidence as different teams deploy new versions and risk breaking…

The JSHeroes conference will take place this year in April and bring in people from all over the world to connect with new and old friends, and learn about new topics.

The State of JSHeroes 2019

The JSHeroes community and the organizers, in particular, are known to work with full transparency as is expected from a community-led conference.

Last year they shared the 2018 transparency report, as they have done so in the preceding year. In this spirit, I went ahead with plotting out a bit of the data we gathered from the Call For Papers (CFP) applications.

In total, we had 324 CFP applications…

In an effort to better promote and increase engagement in the Node.js Security WG we would like to share highlights more often, ideally each quarter, in the following areas:

  1. Agenda — topics that we discuss and make their way into formal processes.
  2. Security Reports Spotlight — sharing vulnerability reports for a selected set of modules or areas in the Node.js ecosystem or Node.js core project.
  3. Celebrating new WG members or other general announcements.

Quarterly Agenda Topics

1. Security Bounty Program for Node.js Core and Ecosystem

We have two HackerOne programs that are on track, a third-party modules ecosystem where we triage reports for modules found on npm as well as a Node.js…

Last week the imaginable happened. A malicious package, flatmap-stream, was published to npm and was later added as a dependency to the widely used event-stream package by user right9ctrl. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. We wrote some early thoughts on our blog last week, moments after the incident came to light, but are now able to perform a deeper post-mortem including a timeline of the events as they took place. …

I guess naming is a hard task in general, and for the npm registry, the naming rules have evolved from what they were to begin with, much of which was about mitigating typosquatting attacks.

Uppercase vs Lowercase

In the beginning, the npm repository was case-sensitive and allowed to publish the same package names with different cases.

This lead to the fact that we now have the following two different modules in the repository:

While the latter has been deprecated in favor of the first, they are still different packages.

The registry maintains any existing package names with upper case to not…

Liran Tal

🥑Developer Advocate @snyksec | @NodeJS Security WG | 🛰️ @jsheroes ambassador | Author of Essential Node.js Security | ❤️ #opensource #web ☕🍕🎸

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store