Skip to main content
This page covers security policy for the nodejs.org website repository. For vulnerabilities in the Node.js runtime itself, see the Node.js security policy.

Reporting a vulnerability

Do not open a public GitHub issue to report a security problem. Public disclosure before a fix is available puts all users at risk.
Report security issues privately using the GitHub Security Advisory workflow:
  1. Go to Security → “Report a vulnerability” on the nodejs.org repository.
  2. Fill in the advisory form with as much detail as possible: affected versions, reproduction steps, and potential impact.
  3. Submit the report. It is visible only to repository maintainers.
The team aims to acknowledge reports within 7 business days. If you do not receive an acknowledgement within that window, forward your report to [email protected].

Disclosure process

1

Private report

Researcher submits a vulnerability via GitHub Security Advisory (private).
2

Acknowledgement

The website team acknowledges the report within 7 business days and begins investigation.
3

Fix development

A fix is developed in a private fork or security advisory branch.
4

Public disclosure

Once a fix is available and deployed, the vulnerability is published as a GitHub Security Advisory and assigned a CVE when applicable.
5

Blog advisory (if warranted)

For significant vulnerabilities, a notice may also be posted to the Node.js blog at nodejs.org/blog/vulnerability/.

Scope

This security policy applies to the nodejs.org website — its codebase, build pipeline, and infrastructure. It does not cover:
  • Vulnerabilities in the Node.js runtime (report to nodejs/node)
  • Vulnerabilities in npm packages (report to the respective package maintainer)
  • Content issues (broken links, outdated documentation) — these can be reported as regular GitHub issues

Dependency security

Dependencies are managed with a strict pinning policy (see Dependency Pinning) to minimize supply-chain risk. Dependabot is configured to:
  • Send automated security alerts when dependencies receive CVE advisories
  • Open PRs to update vulnerable dependencies
Dependabot security PRs are reviewed and merged promptly. For critical vulnerabilities in direct dependencies, a fix may be expedited outside the normal review cycle.

Website-specific security considerations

Content Security Policy

The site is deployed with a Content Security Policy (CSP) header that restricts which scripts, styles, and resources can be loaded. Changes to third-party integrations (analytics, fonts, external embeds) may require updating the CSP configuration.

Build pipeline

The build pipeline runs on GitHub Actions with minimal permissions. Secrets are stored in GitHub Secrets and are not exposed in build logs. Dependencies are installed from the npm registry using a pinned lockfile (pnpm-lock.yaml) to ensure reproducible builds.

Static export

The website supports a fully static export mode (NEXT_PUBLIC_STATIC_EXPORT=true). In static mode, there is no server-side code execution at request time, which reduces the attack surface for server-side vulnerabilities.

Reporting infrastructure issues

For issues with the hosting infrastructure (Cloudflare, Vercel, etc.) that affect availability or data integrity, contact the Node.js Website Team directly or escalate to the TSC at [email protected].

Build docs developers (and LLMs) love

Get started for freeTalk to us