Node.js Test CI Security Incident
Node.js Technical Steering Committee
On March 21st, the Node.js project received a security report regarding our development infrastructure via our bug bounty program. We immediately restricted access while implementing corrective actions.
The reported issue did not impact the Node.js runtime and there is no risk to users of Node.js. No action by Node.js users is required.
The development infrastructure is expected to be available to the community by April 15 or sooner.
A full report of this incident will be available forthcoming. We appreciate the time investment from our amazing volunteers who assisted in this response.
Contact and future updates
The current Node.js security policy can be found at https://nodejs.org/security/. Please follow the process outlined in https://github.com/nodejs/node/security/policy if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.