npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

Writing Quality Vulnerability Reports

npm offers a way for security researchers, package users, package maintainers, and community members to report security vulnerabilities via the “Report a Vulnerability” button on npm Package pages. This provides the community a way to participate in coordinated disclosure with the package maintainer instead of opening a public issue, which could put users at risk.

These reports go directly to the npm Security team for triage instead of to the package maintainers. This is our way of helping the community spend less time on low-quality security reports.

In order for us to make sure reported vulnerabilities are handled rapidly and effectively, we need you, our community, to provide us with actionable, detailed information. Here’s some basic do’s and don’ts for your security report:

What should be included in a quality security report

What should not be reported

Also note: Vulnerabilities in the npm Registry, website, or other core services and tooling should be reported to security@npmjs.com.

Example quality report

I would like to report a command injection vulnerability in the “foobarbaz” package, version 1.0.0.

Follow the below steps to reproduce this vulnerability.

Environment:

Node.js v10.9.0 on Linux

1. npm i foobarbaz@1.0.0

2. Create the following proof-of-concept:

The code below illustrates the issue. Executing this code in a directory that contains the file existingfile.zip (a valid zip file that exists on disk, does not necessarily have to be attacker controlled) will also execute the supplied touch xyz command creating a file, but this could be any command the user executing the code has permission to run.

‘‘‘

var foo = require('foobarbaz');

var unzip = foo.unzip;

// Gather user input from some source. In this case we simulate it with a string

var userinput = './existingfile.zip; touch xyz"';

// This line calls the vulnerable method with our user input.

unzip(userinput, './unzipped', function(){});

‘‘‘

Thank you

We’re grateful for our community’s continual efforts to identify and report vulnerabilities and we look forward to your future submissions. We will continue to improve our tools and resources so that npm remains the source of trusted JavaScript.