Skip to main content
Context Awesome

awesome-nodejs-security

github.com/lirantal/awesome-nodejs-security

Awesome Node.js Security resources

3k
GitHub Stars
218
Curated Resources
17
Categories
17 hours ago
Last Refreshed
Web Framework HardeningGitHub Actions and CI/CD SecurityStatic Code AnalysisDynamic Application Security TestingInput Validation & Output EncodingSecure CompositionCSRFVulnerabilities and Security AdvisoriesSecurity HardeningProtestware supply chain security issuesnpm and JavaScript specific security incidents and supply chain security issuesNewslettersArticlesResearch PapersBooksRoadmapsHacking Playground

Use this list with your AI agent

Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:

"Show me articles resources from awesome-nodejs-security"

Installation instructions →

What's inside

npm and JavaScript specific security incidents and supply chain security issues

  • 2016 March 22

    left-pad - how one developer broke Node, Babel and thousands of projects in 11 lines of JavaScript.

  • 2017 August 02

    crossenv - malicious typosquatting package crossenv steals environment variables.

  • 2018 Feb 13

    maintainer account with access to conventional-changelog npm package compromised and published malware for 1 day and 11 hours

  • 2018 July 12

    eslint - malicious packages found in npm package eslint-scope and eslint-config-eslint.

  • 2018 May 02

    getcookies - malicious package getcookies gets embedded in higher-level express related packages.

  • 2018 November 27

    event-stream - malicious code found in npm package event-stream.

Protestware supply chain security issues

Security Hardening

Vulnerabilities and Security Advisories

  • auditjs

    Audits an NPM package.json file to identify known vulnerabilities using the

  • check-my-headers

    Fast and simple way to check any HTTP Headers.

  • clawsearch-guard

    Pre-install security check for AI agent skills and npm packages. Runs Trust Score analysis before installation to detect malicious patterns, data exfiltration, and prompt injection.

  • confused

    Tool to check for dependency confusion vulnerabilities in multiple package management systems. See

  • gammaray

    Runs a security audit based on your package.json using the

  • is-website-vulnerable

    finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.

Static Code Analysis

  • ban-sensitive-files

    Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).

  • Bearer

    A CLI tool to find and help you fix security and privacy risks in your code according to OWASP Top 10.

  • cspscanner

    CSP Scanner helps developers and security experts to easily inspect and evaluate a site’s Content Security (CSP).

  • DevSkim

    DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.

  • eslint-plugin-anti-trojan-source

    ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase.

  • eslint-plugin-security

    ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Web Framework Hardening

  • blankie

    CSP plugin for

  • fastify-helmet

    fastify-helmet helps you secure your

  • Helmet

    Helmet helps you secure your Express apps by setting various HTTP headers.

  • koa-helmet

    koa-helmet helps you secure your Koa apps by setting various HTTP headers.

CSRF

  • crumb

    CSRF crumb generation and validation for

  • csurf

    Node.js CSRF protection middleware.

  • fastify-csrf

    A plugin for adding CSRF protection to

Showing a sample of 218 resources. View the full list on GitHub →