lirantal

A Git library turned into a Command Injection liability:

A promising Git library turns into a security nightmare when it harbors command injection vulnerabilities

Are you using the Nuxt MDC library to render LLM generated content in your Nuxt.js apps? You want to read this article to understand how I came to find a XSS vulnerability identified today as CVE-2025-24981

Analyzing a vulnerability in safe-axios, an npm package designed to safeguard applications from SSRF attacks.

What if I told you that parsing URLs from user input, especially from Markdown content, can be a security risk? Here is how URL parsing logic an be bypassed and what you need to know to handle it in a secure way.

How do you handle TypeScript, dual ESM and CJS publishing, and the JavaScript toolchain in 2025? Here's a brief overview of the current state of the ecosystem and the tooling I personally use.

If you are doing security research or just curious about finding npm vulnerabilities, let me share some resources to help you stay up-to-date with the latest security CVEs in the JavaScript ecosystem.

Learn about the npm `ignore-scripts` flag and how to use it to prevent the execution of arbitrary commands from malicious npm packages.

IDOR vulnerabilities are often overlooked but can lead to data exfiltration and exposure of confidential data. Here's how to hunt for them with an example Node.js code.

Learn how to use JSON Web Tokens (JWT) securely in your Node.js applications. I'll cover the basics of JWT and share best practices to avoid common security mistakes.

I ventured to write up a semi-philosophical piece about AppSec and Devs from the behavioral economics perspective. I’d love to discuss this further if it sparks some thoughts for you.

BunBuster, a new security research tool built with Bun, is paving the path for more security research projects with Bun.

A subtle introduction to static analysis in JavaScript and the security aspect of this:

Coding is "simple" until you figure out you introduced a security vulnerability like this one on Deno

I've put together a piece to get started with Biome and ESLint for static analysis including some IDE integration

Half a dozen secure code review comments and none of them mentioned the potential security vulnerability that exists in the code snippet. Dive into a Node.js secure code review and see if you can spot the security bug you totally missed.

Even if you follow security best practices and choose bcrypt for password hashing you can still get it wrong. How does Bun handle it in a more secure fashion? What happened with the Okta bcrypt incident? Lets dive in.

Stop storing secrets in environment variables. It's a bad practice and only fits hobby or side projects with no real business impact. Here are all the reasons why you should never store secrets in environment variables and how to do it better.

Like using Promises?? :)

Explore the use of `Promise.withResolvers` in Node.js tests, providing examples and refactoring techniques to handle nested tests and signal their completion effectively. It also discusses the limitations of the `Promise.withResolvers` API in different Node.js versions.

Deno vulnerability CVE-2024-37150 - a recent security issue in the Deno CLI highlights the importance of secure credential handling. Learn how this vulnerability mirrors past npm CLI mistakes and what you can do to stay secure.

The rise of zero dependency JavaScript with packages like `neotraverse` and the controversy around the `axobject-query` package demonstrate the different perspectives and trade-offs that developers and maintainers need to consider when building and maintaining JavaScript applications.

Interestingly enough, the IDOR vulnerability type is found as a CVE more commonly in some languages rather than others. Why is that and how can you prevent it?

Path traversal vulnerabilities were discovered in webpack and backstage npm packages. Learn secure coding practices to prevent path traversal attacks in Node.js applications.

Getting Playwright to work on Heroku wasn't smooth sailing. It looked for browser dependencies that weren't installed by default and not in the location it expected them. Here's how I did it and what I learned along the way.

Can you spot an Insecure Direct Object Reference (IDOR) vulnerability in your JavaScript application? Learn what IDOR is, how it can be exploited, and how to prevent it in your code.

Tired of seeing poor authentication patterns in Node.js applications and Express code examples? Here's a guide on how to avoid them and what to do instead.

Learn how to secure your Node.js applications with the new Permissions Model, stay informed about security releases, and understand the Node.js Security Threat.

I published a couple of days ago an article on 9 curated Docker tips for Node.js developers to help you easily run one-off DevOpsy commands on your Node.js container apps. Hope you find it helpful 🐳

Get trained on secure coding techniques that are hacker-proof and build unbreakable Node.js and Server-side JavaScript apps.

Did you wake up this morning and not find a backdoor that opens your production server to remote access? Everything else is a bonus 😎

For those who missed the drama, quick TLDR: on Friday it was discovered that there is a malicious code in the xz utils package that is installed on Linux servers and allows remote access via ssh to malicious actors.

How is this also related to us in devs in JavaScript and Node.js land? I wrote what happened and also added my thoughts on the subject.

In this article we will review the following Node.js security concepts and their associated code snippets based on their effectiveness in preventing common security vulnerabilities and being very accessible to developers without requiring extra security expertise:

1. The Node.js Permissions Model
2. Implement input validation with a Fastify JSON schema
3. Secure password hashing with Bcrypt