Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
buddy-tunnel
Advanced tools
Node.js is an open-source, cross-platform JavaScript runtime environment.
For information on using Node.js, see the Node.js website.
The Node.js project uses an open governance model. The OpenJS Foundation provides support for the project.
Contributors are expected to act in a collaborative manner to move the project forward. We encourage the constructive exchange of contrary opinions and compromise. The TSC reserves the right to limit or block contributors who repeatedly act in ways that discourage, exhaust, or otherwise negatively affect other participants.
This project has a Code of Conduct.
Looking for help? Check out the instructions for getting support.
Current and LTS releases follow semantic versioning. A member of the Release Team signs each Current and LTS release. For more information, see the Release README.
Binaries, installers, and source tarballs are available at https://nodejs.org/en/download/.
https://nodejs.org/download/release/
The latest directory is an alias for the latest Current release. The latest-codename directory is an alias for the latest release from an LTS line. For example, the latest-hydrogen directory contains the latest Hydrogen (Node.js 18) release.
https://nodejs.org/download/nightly/
Each directory name and filename contains a date (in UTC) and the commit SHA at the HEAD of the release.
Documentation for the latest Current release is at https://nodejs.org/api/. Version-specific documentation is available in each release directory in the docs subdirectory. Version-specific documentation is also at https://nodejs.org/download/docs/.
Download directories contain a SHASUMS256.txt
file with SHA checksums for the
files.
To download SHASUMS256.txt
using curl
:
curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
To check that a downloaded file matches the checksum, run
it through sha256sum
with a command such as:
grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
For Current and LTS, the GPG detached signature of SHASUMS256.txt
is in
SHASUMS256.txt.sig
. You can use it with gpg
to verify the integrity of
SHASUMS256.txt
. You will first need to import
the GPG keys of individuals authorized to create releases. To
import the keys:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4ED778F539E3634C779C87C6D7062848A1AB005C
See Release keys for a script to import active release keys.
Next, download the SHASUMS256.txt.sig
for the release:
curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
Then use gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
to verify
the file's signature.
See BUILDING.md for instructions on how to build Node.js from source and a list of supported platforms.
For information on reporting security vulnerabilities in Node.js, see SECURITY.md.
For information about the governance of the Node.js project, see GOVERNANCE.md.
Collaborators follow the Collaborator Guide in maintaining the Node.js project.
Triagers follow the Triage Guide when responding to new issues.
Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
4ED778F539E3634C779C87C6D7062848A1AB005C
141F07595B7B3FFE74309A937405533BE57C7D57
74F12602B6F1C4E913FAA37AD3A89613643B6201
DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7
CC68F5A3106FF448322E48ED27F5E38D5B0A215F
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C
108F52B48DB57BB0CC439B2997B01419BD92F80A
A363A499291CBBC940DD62E41F10027AF002F8B0
To import the full set of trusted release keys (including subkeys possibly used to sign releases):
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4ED778F539E3634C779C87C6D7062848A1AB005C
gpg --keyserver hkps://keys.openpgp.org --recv-keys 141F07595B7B3FFE74309A937405533BE57C7D57
gpg --keyserver hkps://keys.openpgp.org --recv-keys 74F12602B6F1C4E913FAA37AD3A89613643B6201
gpg --keyserver hkps://keys.openpgp.org --recv-keys DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7
gpg --keyserver hkps://keys.openpgp.org --recv-keys CC68F5A3106FF448322E48ED27F5E38D5B0A215F
gpg --keyserver hkps://keys.openpgp.org --recv-keys 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600
gpg --keyserver hkps://keys.openpgp.org --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
gpg --keyserver hkps://keys.openpgp.org --recv-keys 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg --keyserver hkps://keys.openpgp.org --recv-keys C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C
gpg --keyserver hkps://keys.openpgp.org --recv-keys 108F52B48DB57BB0CC439B2997B01419BD92F80A
gpg --keyserver hkps://keys.openpgp.org --recv-keys A363A499291CBBC940DD62E41F10027AF002F8B0
See Verifying binaries for how to use these keys to verify a downloaded file.
9554F04D7259F04124DE6B476D5A82AC7E37093B
94AE36675C464D64BAFA68DD7434390BDBE9B9C5
1C050899334244A8AF75E53792EF661D867B9DFA
B9AE9905FFD7803F25714661B63B535A4C206CA9
77984A986EBC2AA786BC0F66B01FBB92821C587A
93C7E9E91B49E432C2F75674B0A78B0A6C481CF6
56730D5401028683275BD23C23EFEFE93C4CFFFE
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1
FD3A5288F042B6850C66B31F09FE44734EB7990E
61FC681DFB92A079F1685E77973F295594EC4689
114F43EE0176B71C7BC219DD50A3051F888C628D
DD8F2338BAE7501E3DD5AC78C273792F7D83545D
A48C2BEE680E841632CD4E44F07496B3EB3C1762
B9E2F5981AA6E0CD28160D9FF13993A75599653C
7937DFD2AB06298B2293C3187D33FF9D0246406D
When possible, the commitment to take slots in the security release steward rotation is made by companies in order to ensure individuals who act as security stewards have the support and recognition from their employer to be able to prioritize security releases. Security release stewards manage security releases on a rotation basis as outlined in the security release process.
Node.js is available under the MIT license. Node.js also includes external libraries that are available under a variety of licenses. See LICENSE for the full license text.
FAQs
Unknown package
The npm package buddy-tunnel receives a total of 22 weekly downloads. As such, buddy-tunnel popularity was classified as not popular.
We found that buddy-tunnel demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.