A Project About Node Security in Three Acts:

  1. Audit every single module in npm.
  2. Provide advisories, issues and pull requests so modules get fixed.
  3. Provide a public API + DB of audit results.


Our goals are ambitious, but reachable with help from developers in the Node community and security researchers. We've been quietly working away at this for a few months now. It's no small undertaking. Our biggest challenge is auditing the existing module base. We plan to perform this distributed audit thorough a ticket system that members of the community can contribute manpower to. As we build and refine static analysis tools we will be able to do more automated verification, handy but not nearly as thorough as manual auditing. This project will not only help improve the security of the Node landscape on a technical level, it also helps provide confidence to developers and enterprises about the state of security in Node.js land.