awesome-nodejs-security
github.com/eric-erki/awesome-nodejs-security ↗Awesome Node.js Security resources
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me articles resources from awesome-nodejs-security"
Installation instructions →What's inside
Articles
Vulnerabilities and Security Advisories
- auditjs
Audits an NPM package.json file to identify known vulnerabilities using the
- gammaray
Runs a security audit based on your package.json using the
- node-release-lines
Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
- npm-audit
Runs a security audit based on your package.json using npm.
- npm-audit-resolver
Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
- npq
Safely install packages with npm or yarn by auditing them as part of your install process.
Static Code Analysis
- ban-sensitive-files
Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
- DevSkim
DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
- eslint-plugin-security
ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- git-secrets
Prevents you from committing secrets and credentials into git repositories.
- lockfile-lint
lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
- NodeJSScan
A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.
Web Framework Hardening
Security Hardening
- [CJ blog on typosquat packages]
malicious typosquatting package crossenv steals environment variables. References:
- express-limiter
Rate limiting middleware for Express applications built on redis.
- [github issue]
malicious packages found in npm package eslint-scope and eslint-config-eslint. References
- [github issue]
malicious code found in npm package event-stream. References:
- [GitHub issue]
malicious package getcookies gets embedded in higher-level express related packages. References:
- limits
Simple express/connect middleware to set limit to upload size, set request timeout etc.
Input Validation & Output Encoding
- escape-html
Escape string for use in HTML.
- js-string-escape
Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
- node-esapi
node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
- validator
An npm library of string validators and sanitizers.
- xss-filters
Just sufficient output filtering to prevent XSS!
Books
- Essential Node.js Security
Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
- GuardRails
A GitHub App that gives you instant security feedback in your Pull Requests.
- Intrinsic
Intrinsic secures your sensitive data from bugs and malicious code, allowing you to run all code safely.
- NodeSource
Solid and Node Certified Modules.
- Secure Your Node.js Web Application: Keep Attackers Out and Users Happy
- Securing Node JS Apps
Learn the security basics that a senior developer usually acquires over years of experience, all condensed down into one quick and easy handbook.
Showing a sample of 54 resources. View the full list on GitHub →