
Security News
Node.js Moves Toward Stable TypeScript Support with Amaro 1.0
Amaro 1.0 lays the groundwork for stable TypeScript support in Node.js, bringing official .ts loading closer to reality.
node-version-audit
Advanced tools
Node Version Audit is a convenience tool to easily check a given Node.js version against a regularly updated list of CVE exploits, new releases, and end of life dates.
Node Version Audit is not: exploit detection/mitigation, vendor-specific version tracking, a replacement for staying informed on Node.js releases and security exploits.
--fail-security
to set a failure exit code if the given version of Node.js has a known CVE or is no longer supported.npx node-version-audit@latest --version=16.14.1
{
"auditVersion": "16.14.1",
"hasVulnerabilities": true,
"hasSupport": true,
"supportType": "active",
"isLatestPatchVersion": false,
"isLatestMinorVersion": false,
"isLatestVersion": false,
"latestPatchVersion": "16.14.2",
"latestMinorVersion": "16.14.2",
"latestVersion": "17.9.0",
"activeSupportEndDate": "2022-10-18T00:00:00.000Z",
"supportEndDate": "2024-04-30T00:00:00.000Z",
"rulesLastUpdatedDate": "2022-04-13T02:37:54.081Z",
"vulnerabilities": {
"CVE-2022-778": {
"id": "CVE-2022-778",
"baseScore": 7.5,
"publishedDate": "2022-03-15T17:15:00.000Z",
"lastModifiedDate": "2022-04-06T20:15:00.000Z",
"description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)."
}
}
}
Running directly with npx is the preferred and easiest way to use Node Version Audit.
Execute the script, checking the run-time version of Node.js:
npx node-version-audit@latest
Produce an exit code if any CVEs are found or support has ended
npx node-version-audit@latest --fail-security
Prefer Docker? Not a problem. It is just as easy to run using Docker:
Check a specific version of Node.js using Docker:
docker run --rm -t lightswitch05/node-version-audit:latest --version=17.9.0
Check the host's Node.js version using Docker:
docker run --rm -t lightswitch05/node-version-audit:latest --version=$(node -e "console.log(process.versions.node)")
Run behind an HTTPS proxy (for use on restricted networks). Requires a volume mount of a directory with your trusted cert (with .crt extension) - see update-ca-certificates for more details.
docker run --rm -t -e https_proxy='https://your.proxy.server:port/' --volume /full/path/to/trusted/certs/directory:/usr/local/share/ca-certificates lightswitch05/node-version-audit:latest --version=17.9.0
Want to integrate with Node Version Audit? That is certainly possible. A word caution, this is a very early release. I do not have any plans for breaking changes, but I am also not committed to keeping the interface code as-is if there are new features to implement. Docker/CLI/JSON is certainly the preferred over direct invocation.
const { NodeVersionAudit } = require('node-version-audit/lib/NodeVersionAudit');
const nodeVersionAudit = new NodeVersionAudit('17.8.0', true);
const auditResults = await nodeVersionAudit.getAllAuditResults();
auditResults.supportEndDate; //-> 2022-06-01T00:00:00.000Z
auditResults.hasVulnerabilities(); //-> true
The data used to drive Node Version Audit is automatically updated on a regular basis and is hosted on GitHub pages. This is the real meat-and-potatoes of Node Version Audit, and you can consume it directly for use in other tools. If you choose to do this, please respect the project license by giving proper attribution notices. Also, I ask any implementations to read the lastUpdatedDate and fail if it has become out of date (2+ weeks). This should not happen since it is automatically updated… but we all know how fragile software is.
Get the latest Node.js 17 release version directly from the rules using curl and jq:
curl -s https://www.github.developerdan.com/node-version-audit/rules-v1.json | jq '.latestVersions["17"]'
usage: node-version-audit [--help] [--version=NODE_VERSION]
[--fail-security] [--fail-support]
[--fail-patch] [--fail-latest]
[--no-update] [--silent]
[--v]
optional arguments:
--help show this help message and exit.
--version set the Node Version to run against. Defaults to the runtime version. This is required when running with docker.
--fail-security generate a 10 exit code if any CVEs are found, or security support has ended.
--fail-support generate a 20 exit code if the version of Node no longer gets active (bug) support.
--fail-patch generate a 30 exit code if there is a newer patch-level release.
--fail-minor generate a 40 exit code if there is a newer minor-level release.
--fail-latest generate a 50 exit code if there is a newer release.
--no-update do not download the latest rules. NOT RECOMMENDED!
--silent do not write any error messages to STDERR.
--v Set verbosity. v=warnings, vv=info, vvv=debug. Default is error. All logging writes to STDERR.
Copyright © 2022 Daniel White
FAQs
Audit your Node version for known CVEs and patches
The npm package node-version-audit receives a total of 4,993 weekly downloads. As such, node-version-audit popularity was classified as popular.
We found that node-version-audit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Amaro 1.0 lays the groundwork for stable TypeScript support in Node.js, bringing official .ts loading closer to reality.
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.