hello.js

var please = require('share');
console.log('thank you');

Thursday, 12 January, 2017 UTC

Requiring authentication in Snyk CLI

Requiring authentication in Snyk CLI

Since Snyk launched in late 2015, we’ve supported testing applications anonymously. Today, we released a new version that requires a (free!) registration and authenticating before testing. This post explains why we made this change, and how it affects ... more


Thursday, 22 December, 2016 UTC

Building the VSTS Snyk task, an interview with Jesse Houwing

Building the VSTS Snyk task, an interview with Jesse Houwing

Jesse Houwing (@jessehouwing) is a Lead Consultant at Xpirit. Recently he published a really helpful Visual Studio Team Services (VSTS) task making it easier to get Snyk incorporated into your VSTS workflow. We think it’s pretty awesome that he built ... more


Monday, 19 December, 2016 UTC

Announcing Snyk CLI for Ruby, and more ways to fix Ruby vulnerabilities

Announcing Snyk CLI for Ruby, and more ways to fix Ruby vulnerabilities

Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby: Snyk’s CLI now supports both Node.js and Ruby Fix vulnerabilities with upgrades that require modifying ... more


Wednesday, 14 December, 2016 UTC

Differences in version handling between RubyGems and npm

Differences in version handling between RubyGems and npm

RubyGems and npm are the de facto standard package managers for Ruby and Node.js. At first glance they seem similar (because they are!), but when building a product that interacts with both of them, there are subtle difference that need to be taken into ... more


Wednesday, 30 November, 2016 UTC

Fixing a Remote Code Execution Vulnerability in EJS

Fixing a Remote Code Execution Vulnerability in EJS

This week we added a high-severity Remote Code Execution vulnerability in the EJS package to our vulnerability database. EJS (Embedded JavaScript Templates) is a fast, simple and very popular JavaScript templating engine. EJS provides a few different ... more


Monday, 21 November, 2016 UTC

A brief history of modularity

A brief history of modularity

Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of NPM gave a talk titled “A brief history of modularity”, which we felt was particularly ... more


Thursday, 10 November, 2016 UTC

Announcing Snyk for Ruby

Announcing Snyk for Ruby

In the year since Snyk launched, we’ve been busy focusing on securing Node.js applications. Since that time our open-source database of npm package vulnerabilities has grown to 165, nearly a million tests have been run by our users, and we are continuously ... more


Thursday, 3 November, 2016 UTC

Launching Serverless Snyk

Launching Serverless Snyk

Today we’re releasing the Serverless Snyk plugin—a plugin for the Serverless framework that helps you to prevent vulnerable packages in your application, using Snyk! In a Serverless environment, outdated server binaries are no longer the most glaring ... more


Tuesday, 25 October, 2016 UTC

Yarn is Micro Secure

Yarn is Micro Secure

A few weeks ago, Facebook announced the open-source release of Yarn: a new client for the npm registry. While a few folks expressed concern, it appears to be a solid example of open-source development. Facebook, Google, Exponent and Tilde had similar ... more


Thursday, 20 October, 2016 UTC

Fixing Serverless Security Vulnerabilities

Fixing Serverless Security Vulnerabilities

Well over 80% of successful exploits today occur due to unpatched servers. With modern approaches such as Serverless & PaaS, the servers and their binaries will be managed by more dedicated and professional teams, which should dramatically reduce ... more


Tuesday, 11 October, 2016 UTC

Launching "The Secure Developer" Podcast

Launching "The Secure Developer" Podcast

Most would agree we should build more security into our development practices. Between the increasing pace of development, the shortage of security practitioners and the fact most vulnerabilities are simply bugs, it seems clear we should build security ... more


Wednesday, 31 August, 2016 UTC

Threat Modelling For Node.js Applications

Threat Modelling For Node.js Applications

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Wednesday, 31 August, 2016 UTC

Threat Modelling For Node.js Applications

Threat Modelling For Node.js Applications

This article is a guest post from Gergely Nemeth, CEO at RisingStack, building Trace by RisingStack to monitor and debug Node.js applications and microservices. What should I defend my application against? Should I deal with Cross-Site Scripting attacks? ... more


Tuesday, 23 August, 2016 UTC

Using ES2015 Proxy for fun and profit

Using ES2015 Proxy for fun and profit

Much has been written about ES2015 - with its arrow functions, scoped variable declarations and controversial classes. However, a certain feature has received little love so far: the Proxy . As JS developers, we’re not used to relying on trapping mechanisms ... more


Monday, 22 August, 2016 UTC

Using ES2015 Proxy for fun and profit

Using ES2015 Proxy for fun and profit

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Wednesday, 27 July, 2016 UTC

Enriching bitHound with Snyk

Enriching bitHound with Snyk

Dependencies are extremely powerful, but also open up a world of complexity. To successfully secure these packages in your application, you need to consider security as a natural aspect of quality. This means embedding it into your suite of quality tools ... more


Thursday, 7 July, 2016 UTC

4 steps to address vulnerable dependencies

4 steps to address vulnerable dependencies

A couple of weeks back, we released Snyk’s tight GitHub integration. While building it, we were keen to make it as easy as possible to address known vulnerabilities, and explored the simplest and clearest actions you need to take to get it done. We eventually ... more


Wednesday, 22 June, 2016 UTC

Out of Beta, plus exciting new features

Out of Beta, plus exciting new features

It’s been nearly 8 months since we first launched Snyk at the Velocity Amsterdam conference. Since then, we’ve registered over 343,000 security tests, and 76% of users found vulnerabilities in their apps. Snyk patches were applied 71,000 times, closing ... more


Thursday, 16 June, 2016 UTC

The 5 dimensions of an npm depedency

The 5 dimensions of an npm depedency

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Thursday, 16 June, 2016 UTC

The 5 dimensions of an npm dependency

The 5 dimensions of an npm dependency

We often talk about the growing number of npm dependencies, and how they make us productive and fast on one hand, but fragile and potentially insecure on the other. But what exactly is an npm dependency? At Snyk, our product focuses on securing dependencies, ... more


Wednesday, 8 June, 2016 UTC

Fixing SQL Injection: ORM is not enough

Fixing SQL Injection: ORM is not enough

One of the most dangerous and widespread vulnerability types is SQL Injection, which gives attackers access to your backend database. Using prepared statements and Object-Relational Mapping (ORM) is a good way to defend against SQL injection, but it’s ... more


Thursday, 2 June, 2016 UTC

5 Ways to Get Node.js Vulnerability Alerts

5 Ways to Get Node.js Vulnerability Alerts

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object] ... more


Thursday, 2 June, 2016 UTC

5 Ways to Get Node.js Vulnerability Alerts

5 Ways to Get Node.js Vulnerability Alerts

Here at Snyk, we maintain a database of known vulnerabilities in Node.js and front-end npm packages, called VulnDB (also on GitHub). For each vulnerability, it includes a description of the vulnerability, additional references, and most importantly, ... more


Monday, 16 May, 2016 UTC

Fixing `marked` XSS vulnerability

Fixing `marked` XSS vulnerability

A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application. marked ... more


Friday, 6 May, 2016 UTC

Mitigating ImageMagick vulnerabilities in Node.js

Mitigating ImageMagick vulnerabilities in Node.js

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Friday, 6 May, 2016 UTC

Mitigating ImageMagick vulnerabilities in Node.js

Mitigating ImageMagick vulnerabilities in Node.js

Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe which disables the vulnerable ... more


Wednesday, 20 April, 2016 UTC

Free vulnerability testing and monitoring for public GitHub projects

Free vulnerability testing and monitoring for public GitHub projects

We are pleased to offer a free service from Snyk that lets anyone test for vulnerabilities – and then monitor – any public Node.js GitHub repository. Vulnerability testing for Node.js To test a public project for vulnerabilities, go to snyk.io/test and ... more


Tuesday, 5 April, 2016 UTC

Exploiting Buffer

Exploiting Buffer

Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. Good and popular projects have tripped over this wire, including ... more


Sunday, 27 March, 2016 UTC

How to prevent malicious packages

How to prevent malicious packages

Last week, CERT alerted users to the risk of publishing or consuming a malicious npm package. While not unique to npm , this substantial risk is more likely to happen in this ecosystem. It should be noted that while this is definitely an attack vector, ... more


Tuesday, 22 March, 2016 UTC

Testing for unpublished packages

Testing for unpublished packages

Yesterday, Azer Koçulu unpublished nearly 300 packages, notably including left-pad , which is used by top projects like Node & Babel. The npm team un-unpublished left-pad , but the remaining packages remained exposed for malicious actors to grab. ... more