Node.js Test CI Security Incident

NJTSC

Node.js Technical Steering Committee

On March 21st, the Node.js project received a security report regarding our development infrastructure via our bug bounty program. We immediately restricted access while implementing corrective actions.

The reported issue did not impact the Node.js runtime and there is no risk to users of Node.js. No action by Node.js users is required.

The development infrastructure is expected to be available to the community by April 15 or sooner.

A full report of this incident will be available forthcoming. We appreciate the time investment from our amazing volunteers who assisted in this response.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/security/. Please follow the process outlined in https://github.com/nodejs/node/security/policy if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

Last Updated
Mar 31, 2025
Reading Time
1 min
Contribute
Edit this page
Table of Contents
  1. Contact and future updates