The JavaScript blog.


iojs node security

Security Updates: Node 0.12 and io.js

Posted on .

Today security updates for Node 0.12, io.js 2.3 and io.js 1.8 were released due to a UTF-8 decoding bug in V8:

Here's the technical overview from the io.js Medium post:

Kris Reeves and Trevor Norris pinpointed a bug in V8 in the way it decodes UTF strings. This impacts Node at the Buffer to UTF8 String conversion and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of Buffer to UTF8 String conversion. We know that HTTP(S) header parsing is not vulnerable because Node does not convert this data as UTF8. This is a small consolation because it restricts the way HTTP(S) can be exploited but there is more to HTTP(S) than header parsing obviously. We also have no information yet on how the various TLS terminators and forward-proxies in use may potentially mitigate against the form of data required for this exploit.

Node 0.10 is not affected. Thanks to Rod Vagg for letting me know about this!


security node npm privacy

npm: Scoped Package Metadata Leak

Posted on .

If you use npm private packages then there's a very serious data leak that you should be aware of. Metadata for private packages was accidentally made available from the public replication endpoint.

I've included the full announcement below:

We need to notify you of a serious security incident that was discovered today, July 2nd.

Starting on June 26th, scoped package metadata was available via the public replication endpoint from npm. This means that third parties were aware of metadata about scoped packages, including private packages. This metadata was limited to:

  • package names
  • versions and version publication dates

It's important to make clear that this does not include the packages themselves: package contents and source code were never available. User information such as passwords and billing information was not part of the information that leaked.

If your package metadata contained sensitive information, please take mitigation steps immediately. Because this information replicated, we will be making a public disclosure of the leak. However, to give you time to react (we are aware that it is a holiday weekend in the US) we will be holding off on the public announcement until Monday, July 6th.

We apologize wholeheartedly for this mistake and have taken steps to prevent this error. We are conducting a thorough review of our processes to avoid both this specific problem and any similar errors in the future.

Thank you for your continued support of npm. If you have any further questions or concerns please reach out to support@npmjs.com.

Check your readme files and package names to ensure nothing sensitive has been leaked. This is unfortunate, but npm is handling it promptly and professionally. With any service you rely on for commercial work, like GitHub, Bitbucket, npm, and CDNs, you should review what you publish before it's stored on remote systems.


libraries mobile node modules security sms

Node Roundup: no-sequence, CodeOnMobile, app-notify

Posted on .


If you've got a corporate policy for enforcing strong passwords, then you might want to look at what npm modules can help validate passwords rather than rolling your own. Eric Douglas sent in no-sequence (GitHub: thothJS/no-sequence, which checks to ensure passwords do not contain sequential characters:

var noSequence = require('no-sequence').checkSequence;  
var assert = require('assert');  
var password = '123456';  
var minSize = 6;

assert.equal(noSequence(password, minSize), false);  

The repository has examples and tests which show it working with character sequences and minimum and maximum sizes.


Daishi Kato has been working on a new project that allows you to write code on phones and tablets. He notes that this is good for holiday hacking, when you're stranded without a desktop/laptop.


It works with GitHub accounts, and there's a live demo here: codeonmobile.axlight.com. The source is available at GitHub under dai-shi/codeonmobile with a BSD license, and uses Codeship to deploy your app to Heroku.


app-notify (GitHub: chovy/app-notify, License: ISC, npm: app-notify) by Anthony Ettinger is a module for sending SMS messages. You can use promises, or callbacks:

  message: 'Hello world'

It requires Twilio credentials for SMS, and can also send email (with nodemailer).


libraries modules security live-reload

Node Roundup: 0.10.33, Node.js Best Practices, Puer

Posted on .

0.10.33 and Signing Validation

0.10.33 came out last week, which fixes the POODLE vulnerability by disabling SSLv2/SSLv3. You may find this release breaks legacy browsers like IE6:

If you wish to enable SSLv2 or SSLv3, run node with the --enable-ssl2 or --enable-ssl3 flag respectively. In future versions of Node.js SSLv2 and SSLv3 will not be compiled in by default.

If you see errors like "wrong version number" when connecting to other servers, then you may want to upgrade those as well:

If your application is behaving as a secure client and communicating with a server that doesn't support methods more secure than SSLv3 then your connection won't be able to negotiate and will fail. In this case your client will emit an error event. The error message will include 'wrong version number'.

On the topic of security, when I was reading the release notes I realised that they're signed by the author's PGP signature. If you ever want to validate these signatures then you can do so with Keybase. Keybase has a nice command-line tool that you can install with npm install keybase. After signing in, you can verify the message:

Node release notes verification

In the screenshot you should be able to see that the message was written by tjfontaine. Keybase has a web interface as well, so you can just paste in the signature:

Web verification

Node.js Best Practices

Alan James sent in an interesting and useful resource called Node.js Best Practices (GitHub: alanjames1987 / Node.js-Best-Practices). It lists some things that the author has found useful when teaching Node to beginners, like checking for errors in callbacks, use strict, and avoiding requiring modules inside functions.

One of the tips is to save a reference to this. Teaching JavaScript's scope rules is indeed problematic, and although I often find .bind cleaner that is an additional piece of cognitive baggage that is hard to explain to beginners. Alan is open to pull requests for the document on GitHub, so it may be worth helping to expand some sections like this one.


Puer (npm: puer) is a static server for client-side development that can automatically update CSS without a page reload. It supports Connect middleware, and can mock requests.

I still use solutions that force me to reload the content in the browser, usually based on Grunt or Gulp modules. These can have a small delay that forces me to reload twice in some cases, so I'm always trying out modules like this to find a better one.


node modules security git

Node Roundup: V8 Vulnerability, git-promise, awesome-nodejs

Posted on .

V8 Memory Corruption

The versions of V8 included with Node 0.8 and 0.10 were found to have a memory corruption vulnerability. The issue was discovered by a security specialist, and then a core Node contributor worked with the V8 team to fix the problem. More details can be found in the V8 Memory Corruption and Stack Overflow post on the Node blog.

That means Node 0.8.28 and Node 0.10.30 have been released which both include a fix. 0.10.30 also has some changes to several core modules, including buffer, streams, and child process.


git-promise (GitHub: piuccio / git-promise, License: MIT, npm: git-promise) by Fabio Crisci is a promise-based wrapper for Git:

var git = require('git-promise');

git('rev-parse --abbrev-ref HEAD').then(function(branch) {  
  console.log(branch); // This is your current branch

The readme has more advanced examples, like finding the commit where master diverged from your current branch. Fabio has included some tests written with nodeunit.


Sindre Sorhus sent in awesome-nodejs, a curated list of Node modules and resources. It's a handy list to check if you're looking for a module and are overwhelmed by choice, or not sure where to start on a topic.

There's also an awesome list of awesome lists, which leads to awesome-javascript, and then back again.