These aren’t the npm packages you’re looking for

Earlier in the year, over 500 malicious packages were released into the npm ecosystem to create dependency confusion. Let’s look at some ways to help protect applications from dependency injection. ... more

3 Jedi-inspired lessons to level up your JavaScript security

You might think of Star Wars as a movie reserved for geeks, but what if I told you that there are deep life lessons that can be applied to developer security practices? Get your lightsaber ready and prepare to dive into JavaScript security! ... more

Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine

Vue.js users using the dependency “node-ipc” are experiencing a supply chain attack protesting the invasion of Ukraine, from a package named “peacenotwar”. ... more

Python language support now beta in Snyk Code

Snyk Code, the AI-based static application security testing (SAST) tool, now offers Python as a supported development language (beta). Snyk Code already fully supports Java, JavaScript, and TypeScript. ... more

5 ways to prevent code injection in JavaScript and Node.js

Learn some best practices for keeping your Node.js and JavaScript projects safe from code injection attacks. ... more

How to deploy a Vue.js Jamstack application on Netlify with automatic security updates from Snyk

Fancy learning front-end security concepts while also learning how to deploy a static website on Netlify? Ready to learn how you can automatically detect and fix vulnerable JavaScript dependencies? Jump right in. In this article we’ll use the following: ... more

Arbitrary code execution in Grunt

Welcome to the Snyk Monthly Vulnerability Profile. In this series, Snyk looks back on the vulnerabilities discovered by or reported to our Security Research Team. We choose one noteworthy vulnerability from the past month and tell the story behind the ... more

Exploring the minimist prototype pollution security vulnerability

On March 11th, 2020, Snyk published a medium severity prototype pollution security vulnerability (CVE-2020-7598) affecting the minimist npm package. This is part of an ongoing research by the Snyk security research team which had previously uncovered ... more

The State of Open Source Security – 2020

Open source security is our passion here at Snyk. Every year starting in 2017, Snyk has produced our annual State of Open Source Security report. In this report, we analyze the trends in open source security and how organizations are managing security ... more

What is a backdoor? Let’s build one with Node.js

A backdoor in our code that can perform OS injection is one of the most scary scenarios ever. Currently, npm has more than 1.2M of public packages available. For the last 3 years, our dependencies have become the perfect target for cybercriminals. We ... more

AngularJS Security Fundamentals

In this security best practices cheatsheet, we focus on AngularJS and discuss tips and guidelines that ensure secure coding practices. In essence, this cheatsheet is a collection of AngularJS security fundamentals for web developers. Download AngularJS ... more

Fastify Node.js framework improves JSON security thanks to security report

On April 9th Francesco Soncina –also known as phra on the HackerOne security bug bounty platform– reported a Server-side JavaScript code injection vulnerability to the Node.js Security working group. This vulnerability, initially identified Fastify, ... more

Snyk partners with the makers of Greenkeeper to help developers proactively maintain dependency health

We’re pleased to announce the graduation of Automatic Dependency Upgrades, a Snyk Open Source capability that helps developers proactively reduce security vulnerabilities and maintain dependency health when using open source software. Automatic Dependency ... more

Is your website vulnerable? Let’s fix it!

If you run a website, whether this is a full-fledged SaaS web application or a small blog — built by Gatsby, WordPress, or an indie GitHub Pages setup — one of the key concerns you want to mitigate is security vulnerabilities. Security vulnerabilities ... more

February in review: JVM Ecosystem Report, Python and Container Updates, and more

As we wrap up February, dive into the JVM Ecosystem report, tune into DevSecOps learnings, catch up on the latest Snyk product updates, and mark your calendar for KubeCon EU! Security news New! JVM ecosystem report 2020 Insights based on a global developer ... more

Integrating actionable security in your CI/CD workflow and build systems with Snyk tests

Connecting Snyk with the repositories you’ve stored in a source code management system such as GitHub or GitLab and then importing your projects to Snyk is a great way to leverage and benefit from security application testing throughout your core application ... more

Deploying a Gatsby site to GitHub Pages from Travis CI

I recently worked on a simple static website for an open source project I have and took Gatsby for a spin along with one of the theme starters. To serve the web pages, I decided to host my Gatsby generated static website on GitHub pages where I also ... more

Keep your dependencies up-to-date—enable auto upgrades with Snyk

We are excited to announce the release of a new way to take action on the deep insights Snyk offers regarding security and project health—auto upgrades. Where Snyk’s automated fix pull requests (PRs) apply targeted vulnerability fixes to make the smallest ... more

Angular vs React: the security risk of indirect dependencies

Welcome to Snyk’s State of JavaScript frameworks security report 2019. In this section, we review the security risk of the indirect independencies for both Angular and React, and then we also review the direct dependencies, first for Angular and then ... more

Comparing React and Angular secure coding practices

Welcome to Snyk’s State of JavaScript frameworks security report 2019, this section of the report is about Angular and React projects overall security posture. In this section, we explore both the Angular and the React project security postures. This ... more

84% of all websites are impacted by jQuery XSS vulnerabilities

Welcome to Snyk’s State of JavaScript frameworks security report 2019. In this blog post we’ll review security vulnerabilities found in other frontend ecosystem projects. After reviewing Angular and React as major JavaScript frameworks, we’ll take a ... more

2019 side-by-side comparison of Angular and React security vulnerabilities

Welcome to Snyk’s State of JavaScript frameworks security report 2019. In this section, we review the impact that security vulnerabilities can have by looking at the severity, CVSS scores and more over the years for both Angular and React. Furthermore, ... more

Angular vs React: security bakeoff 2019

Welcome to Snyk’s State of JavaScript frameworks security report 2019. Download the Report here Let’s begin this report by exploring the different security vulnerabilities found in the core Angular and React projects. We then review the severity breakdown ... more

A recap from our latest PCI webinar, and compliance tips from Deliveroo

Remember our previous blog post on the new PCI standards and how to comply? We recently hosted a webinar to break down what’s important to take away from the latest update, far beyond the fundamentals. During the session, Jim Manico (founder at Manicode) ... more

A Snyk peek into Node.js and npm’s state of open source security report 2019

In the State of Open Source Security Report 2019, we set out to measure the pulse of the open source security landscape throughout the different language ecosystems and have analyzed responses from over five hundred open source maintainers and users ... more

Why npm lockfiles can be a security blindspot for injecting malicious modules

I recently started playing around with the idea of threat modeling packages on the npm ecosystem. Can an event-stream incident happen again? How about other supply chain attacks? What will be the next vector of attack that we haven’t seen yet and might ... more

Everything you wanted to know about addressing security vulnerabilities in Linux-based containers

Think about the most important container image that you have running in production right now. How did you choose its base image? Do you know how many vulnerabilities that base image has? Wouldn’t you like to know? Here at Snyk we try to make the process ... more

10 Java security best practices

In this cheat sheet edition, we’re going to focus on ten Java security best practices for both open source maintainers and developers. This cheat sheet is a collaboration between Brian Vermeer, Developer Advocate for Snyk and Jim Manico, Java Champion ... more

Mastering Node.js version management and npm registry sources like a pro

In continuation to the 10 npm security best practices guide we published earlier this year, I’d like to further explore how to make it easier to switch between different Node.js versions and to switch between different npm registries while working in ... more

Securing Artifactory using Snyk

We are excited to share that starting today, you can make sure that vulnerable artifacts will not be used in your organization by using Snyk’s Artifactory plugin! Snyk as your Artifactory gatekeeper Snyk’s Artifactory plugin allows your team to define ... more