In this post, I will show you some advanced usage patterns for working with Playwright in order to take a screenshot of a specific element and modify the contents of the image, either before taking the screenshot or after, using image preprocessing tools.
If you’re unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.
This ESLint plugin is based on the library and command-line tool anti-trojan-source.
A bad CLI can easily discourage users from interacting with it. Building successful CLIs requires attention to detail and empathy for the user in order to create a good user experience. It is very easy to get wrong.
In this guide I have compiled a list of best practices across areas of focus which aim to optimize for an ideal user experience when interacting with a CLI application.
What are typosquatting attacks and how do they impact open source developers? If you’re a JavaScript developer then you should understand them and be conscious that you aren’t mistakenly installing a package such as electron-native-notify - because hey, that’s a malicious package!
Not all developers understand what are the risks of command injections in Node.js applications and I see it more often when I triage security vulnerabilities. In this article I’m featuring a practical walk-through of an actual CVE for a Node.js module which has a command injection vulnerability.
Ron Perris from Snyk this checklist of React security best practices to help you and your team find and fix security issues in your React applications. I’ll show you how to automatically test your React code for security-related errors and automatically fix them.
Find security vulnerabilities in open source npm packages while you code. Receive feedback in-line with your code, such as how many vulnerabilities a package contains that you are importing.
Inspired by Import Cost
Liran Tal:
A severe security vulnerability impacted all popular npm package managers: npm, yarn and pnpm and even triggered a release for Node.js 12.4.0. What is behind this vulnerability and why is it so important for us to understand? I wrote about it in a post that also explains how npm handles executables.
Liran Tal:
In this report, we investigate the state of security for both the Angular and React ecosystems, looking at best practices, secure coding, and security vulnerabilities in React, Angular, and other frontend projects such as Bootstrap, Vue.js, and jQuery. Inside you will find the report in it’s digital format as a PDF to download and review offline.
Liran Tal:
I wrote this tiny module thing that allows you to quickly check if a website is running vulnerable JS libs straight from the terminal. You’d be surprised how many websites are still running old and vulnerable versions of jQuery, Bootstrap, Angular and others.
Use it responsibly ;-)
SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up.
As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.
Liran Tal:
How do you cope with the issues of libraries having security vulnerabilities but there’s no fix yet? With open source packages this might even be more apparent than ever. Maintainers are rightfully not in any contract to provide you support, yet you rely on third-party software by volunteers.
In this piece I want to show you how we’ve adopted surgical patches to help remove this burden and risk from users.
Serverless doesn’t mean “less” security, instead we should fine-tune our focus area to security implications that accompany a serverless architecture.
If you’re developing serveless functions on Azure, Google or AWS you probably want to make sure you follow these security best practices.
Liran Tal:
Developers, often lacking insights into the intricacies of Docker, may set out to build their Node.js-based docker images by following naive tutorials which lack good security approaches in how an image is built. One of these nuances is the use of proper permissions when building Docker images.
To minimize exposure, opt-in to create a dedicated user and a dedicated group in the Docker image for the application; use the USER directive in the Dockerfile to ensure the container runs the application with the least privileged access possible.
Click through for those tips plus 5 more and a downloadable cheat sheet. Good stuff 👍
Quickly manage and inspect your Docker containers and images from an interactive UI.
