Introducing requireSafe: peace of mind for third-party Node modules
Today we’re announcing a pre-release beta of requireSafe.
The story for requireSafe started many years ago, back in the node 0.4 days when we were helping &yet secure products they were building for clients and themselves.
What became apparent very quickly is that these applications were built using many modules, authored by other people, each created with varying degrees of developer proficiency and dedication to manage those projects.
We had the experience to audit these dependencies, but doing so was amazingly time consuming; we needed help.
We formed the Node Security Project to start evangelizing good security practices and help make security a core value in the node community. We wanted to help developers avoid the same mistakes we saw being made in other platforms.
A passionate and amazing group of people gathered around the Node Security Project, putting in countless hours auditing modules, contacting maintainers, and submitting pull requests. But it’s become clear Node Security isn’t a part-time job that can be fueled solely by passion.
npm contained about 18k modules when we started—and that seemed like a lot then! The node community has since grown exponentially to where the npm registry contains roughly 124,000 modules today.
The Node Security Project is an overwhelming endeavor where trust is very important. We were unable to just let anybody and everyone access to the data, which made contributions difficult.
Without people able to make a commitment to work on and feed the project full time there would no way for the project to continue.
It’s time for node security to become a full time job. It’s that important.
Here’s what requireSafe will be:
- Dedicated resources looking after their third party code for subscribers
- Early warning and recommendations for remediation for when an issue is identified
- Documentation for developers on common “gotchas” when using certain modules
- Integration with your deployment and CI tools
- As sensitive vulnerabilities become resolved and public, this info becomes available to the community at large.
What’s available in the beta?
Only free accounts are available in the beta.
Free accounts give you access to the requireSafe web portal to view security advisories for node modules, provided by the Node Security Project.
You will also have access to some of our first integrations, specifically email notifications and the requireSafe command line client, useful for validating your projects against our list of known vulnerable dependencies.
We plan to have many more integrations available in the future as well as a beautifully documented API for you to consume.
requireSafe was created as a collaboration between ^lift‘s security researchers and &yet‘s developers. I want to especially thank Terry Carter, Henrik Joreteg, Philip Roberts for their hard work on this project.
With requireSafe, I’m excited to take the next step in making security a core value and core activity of the node community.
We look forward to your feedback and serving the community we have grown to love.