JavaScript Framework Security Report 2019


By Liran Tal

Translation: crazy tech geek


Reprinting without permission is strictly prohibited

Welcome to Snyk’s State of JavaScript Framework Security Report 2019.

In this report, we investigate the security state of the Angular and React ecosystems. In this report we do not compare them as competing frameworks at all. Instead, we’ve reviewed them as viable alternatives for building a front-end ecosystem for JavaScript projects, focusing on the security risks and best practices of each, and the differences between them.

Download the report here

ushighly recommendeddownloadElectronic version of the full report, but also provided the following as a blog post:

JavaScript Framework Security Report 2019

The report covers:

  • Security Practices for Angular and React Core Projects
  • The security state of the Angular and React module ecosystems, based on an in-depth study of the vulnerabilities in each ecosystem
  • Security practices for other common JavaScript front-end framework alternatives such as Vue.js, Bootstrap, and jQuery
  • Significant security differences between different alternatives, especially between Angular and React

Key takeaways from the JavaScript Framework Security Report 2019

Here are the key takeaways from our report:

  • Angular vs. React Core Project Security

    • Angular has 23 security holes in its original AngularJS project (Angular v1.x).
    • No security vulnerabilities were found in the Angular core framework components.
    • React has some security bugs; bugs seem to be found quite often in its core library and disclosed every two years.
    • Only one React core project vulnerability was assigned an official CVE. CVE does not list any vulnerability reports for Angular at all. Taken together, these all prove that the open source community needs to utilize vulnerability databases in order to discover relevant security issues.
    • Snyk reported 26 security vulnerabilities in Angular and React core projects, and its report has no audits on npm.
  • Angular vs. React module ecosystem security

    • Both the React and Angular module ecosystems have shown security flaws in popular front-end library components with millions of downloads, some of which have no security fixes so far.
    • We have witnessed malicious modules affecting the Angular and React ecosystems and attempting to collect credit card, passwords and other sensitive information used in front-end web applications.
    • The Next.js framework showed great responsibility for security by quickly addressing all five vulnerabilities throughout the life of the project, delivering fixes within a week.

Information about CVEs and security vulnerabilities

To investigate the overall security posture of each ecosystem covered in this report, we discuss factors including security vulnerabilities identified in different relevant software packages. Vulnerabilities are reviewed and discussed in light of (and sometimes compared to) known vulnerabilities.

In the Common Vulnerabilities and Exposures (CVE) List maintained by the CVE Numbering Authority (CNA), known vulnerabilities are assigned identification numbers and CVEs are assigned a CVSS score to indicate the severity of the listed vulnerabilities. learn aboutInformation on how to score the severity of vulnerabilities via CVSS

  • Angular vs. React security posture

    • Angular has visible and implementable security guidelines, communication, and responsible disclosure policies that React projects don’t have.
    • Angular has broader built-in support for data sanitization and output encoding in different contexts, such as URL attributes in HTML anchor (or link) elements, etc.
    • React has no built-in controls for data sanitization, instead encoding the output in most default cases and leaving it up to the developer to handle unhandled cases such as ref and URL properties (the latter deprecated in React v16.9.0 solve).
    • Angular provides support for cross-site request forgery (CSRF) vulnerabilities through built-in security mechanisms in its HTTP services. And React developers need to solve these problems independently.
  • Front-End Ecosystem Security

    • jQuery has over 120 million downloads in the past 12 months, and according to W3Techs, 84% of all sites using jQuery use jQuery v1.x, which has four very serious XSS vulnerabilities affected it. In fact, if you’re not using jQuery v3.4.0 or later (which is the case for most jQuery users), you’re using a version that contains a security vulnerability.
    • In the past 12 months, Bootstrap has been downloaded 79,185,409 times and contains a total of 7 cross-site scripting (XSS) vulnerabilities. Three of them were disclosed in 2019. Notable community modules such asbootstrap-markdownIt has over 300,000 downloads in the same time period, though it has no security fixes or path to upgrades for its XSS vulnerabilities.bootstrap-selectIt has over 2 million downloads and has a critical XSS vulnerability, which was discovered by the Snyk research team with the help of its proprietary threat intelligence system.
    • Over the past 12 months, the Vue.js framework has been downloaded more than 40 million times,A total of four vulnerabilities exist in the Vue.js core, but has been fixed.

can continue readingAngular vs React: Security Bakeoff 2019orDownload the full report.。

The report reviews the overall security of each framework, the community-driven module ecosystem, and the security risks associated with it; based on these perspectives, the report ensures secure code by highlighting the best security practices employed in the field , finally providing actionable security advice for Angular and React users.

This article is the first WeChat public account: front-end pioneer

Welcome to scan the QR code to follow the official account, and push you fresh front-end technical articles every day

JavaScript Framework Security Report 2019

Welcome to continue reading other highly praised articles in this column: