🧠 AI Security & securing agentic coding LLM w MCP serves 🦄 Node.js Secure Coding 🌟 @GitHub Star 🏅 @OpenJS Pathfinder award for Security 🥑 DevRel @snyksec
- Tweets 78,203
- Following 1,714
- Followers 13,408
- Likes 45,172
Pinned Tweet
OH WOW😍
I received the GitHub Stars Award 2021 🌟
Thank you so much @github and everyone for the support and the recognition
This means so much to me ❤️
#OpenSource #GitHubStars
ALT GitHub Stars Award 2021 - "thank you for the tremendous work that you do in the community by inspiring educating and influencing all those around you" - recognizing Liran Tal
25
3
220
Me and TypeScript every single time
nitter.app/ciksgibiyim/status/171…
58
341
3,371
487,723
almost 2 decades of doing open source 🤯
ALT the commit contribution graph / timeline on GitHub for Liran Tal
119
73
1,822
118,028
Rule #7 of SQL: Developers rejecting ORMs are doomed to end up building them
In the next version of Bun
bun:sqlite supports query.as(Class) to attach methods & getters/setters to query results
ALT import { Database } from "bun:sqlite"; const db = new Database("my.db"); class Tweet { id: number; text: string; username: string; get isMe() { return this.username === "jarredsumner"; } } const tweets = db .query("SELECT * FROM tweets") .as(Tweet); for (const tweet of tweets.all()) { console.log("Me?", tweet.isMe); }
39
62
952
139,650
Deno is Rust based, right?
Goes to show that there's so much more involved than just "choosing Rust cause performance you know" 🤷♂️
Running `select * from users limit 100` in batches of 100:
Bun 1.2: 50k q/s
Node 23.6.0: 14k q/s (postgres.js)
Deno 2.1.6: 11k q/s (postgres.js)
ALT Load a huge table Queries per second. 100 rows x 100 parallel queries bun: 50,251 queries per second 50,251 node: 14,398 queries per second 14,398 deno: 11,821 queries per second 11,821 Bun v1.2 Node.js v23.6.0 Deno v2.1.6 View benchmark
26
16
553
131,814
So many blogs and tutorials showing poorly optimized and insecure ways of building Node.js docker images 😟
I'm putting together an optimal NodeJS Docker guideline 🐳
Step by step, explaining the rationale of Dockerfile directives
✅ Follow and stay tuned for more details
18
53
457
I got recognized as a GitHub Star for 2022 ⭐😊
It means a lot to me and I'm thankful for being able to educate and inspire other developers about open source and developer security.
Much gratitude to all of you who support and collaborate with me ❤️
And thank you, @GitHub.
58
11
426
Who needs to skill up on their Node.js security skills?
I have a freebie giveaway for ya 😉🎁
Giving away my book:
"Essential Node.js Security for Express"
1 Follow @liran_tal
2 Retweet, like or comment
3 I'll DM you a free download link for the book
ALT Hands-on and abundant with source code for a practical guide to Securing Node.js web applications. Node.js Secure Code Guidelines OWASP Essential Security Risks and Countermeasures Express Hardening Node.js and npm secure dependencies management Understanding and securing HTTP Headers, NoSQL Injections, XSS, CSRF, Regex DoS, Sessions and more
112
158
363
62,047
IT'S FINALLY RELEASED 😲🚀
Best practices to containerize Node.js web applications with Docker 🐳🙌
✅ A comprehensive step by step guide
✅ 10+ production-grade best practices
✅ Deploy NodeJS apps securely!
👉 snyk.io/blog/10-best-practic…
@NodeJS & @Docker security FTW
11
101
313
Here's a secret GitHub power tool
Did you know that you can navigate and create directories from within the GitHub UI if you just terminate each file with a forward slash / ? 🤯
You're welcome :-)
5
57
296
👋😍 ANNOUNCING my new Node.js book!
eval, new Function, the Node.js vm module?
Nah,
Start by adopting secure coding practices
🔮 Learn how to avoid Code Injection in JavaScript
📌 May 15th, 2024 release
🎁 PreOrder now at 70% discount!
nodejs-security.com/book/cod…
26
89
263
75,520
Deno didn't want to do package.json so they ended up inventing deno.json. Did I get it right?
17
4
249
61,981
Exciting news! I am thrilled to receive the #GitHubStars 2023 Award 🌟
It's an honor to be part of a community that's committed to open source and security.
Thank you @GitHub for recognizing my contributions. Let's keep building great things together! 🚀
ALT The GitHub Stars program thanks GitHub’s most influential developers and gives them a platform to showcase their work, reach more people, and shape the future of GitHub. The picture shows a recognition letter to Liran Tal for awarded the GitHub Stars 2023 award.
39
10
243
17,513
Wes is great, Bun is great.
I'm sure to Wes the security vulnerability in this code is clear but if you're not Wes, please *do not* follow this pattern 1:1 💣
>>
👌 this Bun API is so nice. Write to file by passing it a fetch Response.
No fussing with piping streams, concatenating chunks or checking that a folder exists first.
12
6
221
150,502
true story -
a colleague from another team came over to consult about Node.js stuff & I was totally psyched about her coming over.
I actually had to express what was so funny about the situation for other colleagues to understand 😀
You guys get it, right?
13
13
223
Thanksgiving is just the perfect time to share the news on receiving the GitHub Stars Award 2021 🌟
Feeling very thankful, blessed, and humbled ❤️🤗
#GitHubStars
19
4
201
Super honored to receive this formal nomination to the @GitHub Stars program for all of my opensource work😊❤️✨
Thank you so much for everyone who supported me and enabled me to be part of their open source projects ❤️
15
10
189
Psyched!
I've been recognized as a GitHub Star 🌟
It's an incredible honor to receive this recognition and be awarded to the GitHub Stars program, but most of all to thank you all who shared the journey with me ❤️ stars.github.com/profiles/li…
There's a lot to reflect on... thread⬇️
21
7
180
🚨 BREAKING
⚠️ The colors@1.4.1 npm package has an offending infinite loop code and is deemed vulnerable to Denial of Service
This continues the fallout of the Faker.js package of open source maintainer Marak
The story and what you should do: snyk.io/blog/open-source-mai…
11
59
141
Exciting news 🚀🚀🚀
My new book on
Secure Coding with Node.js is now available!
"Node.js Secure Coding: Defending Against Command Injection Vulnerabilities"
Get it: nodejs-security.com
11
41
155
25,005
One amazing thing about @nodejs is that you can swap out many surplus packages for native Node.js support and reduce your reliance on direct and indirect third-party dependencies by a large sum
7
16
152
26,326
If you fancy building your next Node.js microservice in a different style of frameworks than Express and Fastify, check out this intro to NestJS: amplication.com/blog/working…
6
25
135
13,203
Apologies that my posts and replies have become tech off-topic. I've been a bit busy empathizing with the genocide of my people.
Stay safe and I wish you peace wherever you are ❤️
13
3
133
8,530
Heard of @bunjavascript?
I'm launching the Bun Security course: bunsecurity.dev/
✔︎ Teaches you Securely using Bun API
✔︎ Teaches you secure coding conventions
✔︎ Book + online course
✔︎ You'll learn Path Traversal, Code Injection, Prototype Pollution and more!
5
33
126
15,622
big thank you to all Node.js contributors and the Node.js documentation team!
I visit the official @nodejs API docs very often and it's always such a pleasure to consult with. #NodeOfAppreciation ❤️
20
123
היי @EllaTravelsLove
קודם כל קחי 👑, נפל לך
שנית, אני מכתב את ההאקר חלל @bararchy ונשמח לעזור. מניחים שאת מוצפת במשימות אז תרגישי בנוח לחבר אלינו מי שעובד איתך ויכול לתת לנו רקע שנדע איך לעזור.
חברים פתרונות כמו תפתחי תיקייה בדרייב או גיליון אקסל אלו דברים שאני יכולה לעשות לבד. תודה בכנות על העצה והכוונות שלכם זהב טהוא אבל אני צעד אחד קדימה - אני צריכה פה ייעוץ של אבטחת מידע מחשש שאפתח דרייב ויפילו לי אותו מי שיש להם אינטרס שהדברים לא יהיו קיימים. מומחי אבטחת מידע שיסייעו לי עם פתרון אחסון מאובטח. תודה תודה תודה
4
3
102
7,263
In native Node.js core (LTS)
You can now (for a while actually) use the native Node.js test runner and completely ditch jest and friends
6
15
98
8,953
Squash, because all of your carefully hand-made commits are saved at the pull request level, and what we care about when we review a main line of development, i.e trunk, is the actual purpose of the commit, and not the story that lead to the commit.
2
2
105
Who is hiring in #tech right now?
Let's start a thread for folks
50
28
96
Counter-argument: using tagged template doesn't automatically infer you are using safe and secure parameterized statements 🤷♂️
The reason: without looking at the code implementation you don't know if it is doing client-side escaping or utilizing the driver's database engine
6
96
8,305
I published "Demystifying Jest Async Testing Patterns" 🎉🤓
medium.com/@liran.tal/demyst…
#jest #javascript #testing #nodejs
cc @goldbergyoni @kentcdodds @aaronabramov_ @cnakazawa @fbjest @JavaScriptDaily @JavaScriptKicks
1
36
96
SAY NO
TO SECRETS IN ENVIRONMENT VARIABLES no-secrets-env-vars-website.…
no-secrets-env-vars-website.…
15
11
105
63,709
❤️ Reasons to Love Jest: The Test Framework
I enjoy writing tests, but Jest takes it to a whole new level.
The first of several posts on @fbjest
medium.com/@liran.tal/reason…
cc @cnakazawa @aaronabramov_ @kentcdodds @gautam @BenedekGagyi
1
21
91
🔥BREAKING
🎉JavaScript Frameworks Security report 2019 🎉
I'm excited to share that I published on the @snykseec blog a comprehensive analysis of:
✅ Comparing Angular & React security practices and vulnerabilities
✅ Vue.js, jQuery & Bootstrap too!
snyk.io/blog/javascript-fram…
2
51
87
Your weekly reminder that #code you write is not code you ship
Ive been using this slide since forever in my security talks because it's an eye opener, not that you didn't know it before, but we often forget this simple fact.
embrace security early
#nodejs #javascript #security
4
44
90
✨ I'm setting up a curation of #NodeJS Security related resources at github.com/lirantal/awesome-…
Everything in between tools, research papers, hacking playgrounds.
Star it, and submit a Pull Request as I'm sure there's much more to add.
@nodejs @mhdawson1 @poledesfetes @pxlpnk
4
49
91
BLM groups and other underrepresented groups and minorities, be true to yourself in asking if you'd be safe in Gaza with Hamas in power or in Israel?
#حماس_هي_داعش
#حرروا_فلسطين_من_حماس
#therealimage
#hamasisISIS
#FreePalestineFromHamas
16
28
90
7,162
You mindlessly post #FreePalestine like a propaganda pamphlet without even understanding what it stands for:
🩸Founded on antisemitism
🩸Grounded in violent militant forces
🩸Calls for the annihilation of Jews and Israel state
![The Free Palestine Movement (Arabic: حركة فلسطين حرة) is a Palestinian Syrian armed movement and community organization that is led by the businessman Yasser Qashlaq and supports the Ba'athist government of Syria. The organization opposes the existence of Israel, and was mostly known for political activism and social services in favor of Palestinians in Syria and the Gaza Strip before 2012. Upon the outbreak of the Syrian Civil War, however, the Free Palestine Movement formed its own militias and has since then openly fought for the Syrian government against various rebel groups.
Furthermore, Yasser is known for his antisemitic views, having repeatedly called Jews "dregs of European garbage", a "gang of criminal murderers",[3] and "human pieces of filth"[5] that should be deported to Europe.[3][5] He has also stated that there is "no reason for coexistence" between Israelis and Palestinians, as the latter would reclaim their lands and "hunt [the Israelis] down to the end of the world,](/pic/orig/media%2FF89jo6WWkAAYT1U.jpg)
ALT The Free Palestine Movement (Arabic: حركة فلسطين حرة) is a Palestinian Syrian armed movement and community organization that is led by the businessman Yasser Qashlaq and supports the Ba'athist government of Syria. The organization opposes the existence of Israel, and was mostly known for political activism and social services in favor of Palestinians in Syria and the Gaza Strip before 2012. Upon the outbreak of the Syrian Civil War, however, the Free Palestine Movement formed its own militias and has since then openly fought for the Syrian government against various rebel groups. Furthermore, Yasser is known for his antisemitic views, having repeatedly called Jews "dregs of European garbage", a "gang of criminal murderers",[3] and "human pieces of filth"[5] that should be deported to Europe.[3][5] He has also stated that there is "no reason for coexistence" between Israelis and Palestinians, as the latter would reclaim their lands and "hunt [the Israelis] down to the end of the world,
10
35
91
7,302
I'm launching a new book 😍🚀
Looks nice?
Let me know what you think, ask anything, or just ping me if you want a 25% OFF to get in on the preorder
ALT Node.js Secure Coding: Defending Against Command Injection Vulnerabilities Learn secure coding conventions in Node.js by executing command injection attacks on real-world NPM packages and analyzing vulnerable code. Defend your code and buy the book at a 25% off in this early preorder.
10
11
83
9,225
Always remember, when you use open-source software, there's someone out there who is working on it, free of charge, selflessly, in unusual hours and unusual places. And you get it all for free.
Thank you Matteo ❤️🤗
Life of maintainer: working on a security release for @nodejs (undici) after landing in London for the collab summit. Hopefully I’ll finish before dinner in 1 hour!
4
7
84
3,442
an interesting read about the prevalence of npm and JavaScript packages in (long?) running docker containers and the vulnerabilities bundled in them.
Research paper: researchgate.net/publication…
4
20
76
Node.js Meetup in Tel Aviv.
Amazing turnout. One could be confused this is a mini conference 🙌
4
4
76
| ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄|
Security is not an afterthought
|_____________|
\ (•◡•) /
\ /
——
| |
|_ |_
6
8
69
9,237
reviewed this morning @mattpocockuk's 2025 update on How to Create an NPM Package along with my ☕
It found a bug in one of my TypeScript projects and a couple of things I picked up 👇🧵
ALT In this guide, we'll go through every single step you need to take to publish a package to npm. This is not a minimal guide. We'll be setting up a fully production-ready package from an empty directory. This will include: Git for version control TypeScript for writing our code and keeping it type-safe Prettier for formatting our code Vitest for running our tests GitHub Actions for running our CI process Changesets for versioning and publishing our package If you want to see the finished product, check out this demo repo.
3
4
78
13,319
What is item.name?
Is it coming from user input?
Is it sanitized before hand?
What happens if it includes path traversal characters like ../ ?
General security practice:
- Never concatenate string input to sensitive APIs
3
68
6,941
Node.js is wild.
Buying a course for $20 could potentially lead to a career that earns you $100k+ per year.
It still blows my mind how many people are sleeping on this. 😅
15
4
73
I'm sorry you have to go through this, Yoni. It has antisemitism all over it. I hope I'm wrong and this will clear up. Hang in there and ping if we can help support you. Most importantly, stay safe ❤️
1
4
69
8,103
don't judge yourself too harsh
an AI company valued at tens of trillions of dollars designed an API that nests data under `response.data.data[0]`
7
7
68
9,322
As if people in Gaza don't have it bad enough with Hamas terror org' in their elected government, they're now suffering direct consequences of rocket misfire on a hospital fired by Jihad, another terrorist group within Gaza
Palestinians I'm sorry and urge you to take a stand ❤️
5
5
71
3,133
🔥 Node.js CLI best practice 4 of 20
✅ Use colors in your CLI app to highlight & structure output, but provide a graceful degradation
❌ Otherwise: information may easily get lost in pale program output especially w/ text-heavy
Follow for more!
#commandline #protip #CLI2020
3
16
64
Rule two of devrel: always sit first row and share many nods, smiles and reactions to the speaker, it helps boosts their confidence.
I learned that first time in the JSHeroes conference which is known for its loving and supportive community.
5
12
67
13,792
I was trying to be clever but then @addalex has to go and implement worker threads for @nodejs 😆
if this interests you there's nodejs.org/api/worker_thread… to get you started and we'd be happy to get feedback and input from you!
#nodejs #javascript
20
64
📣 Announcing February 2020 campaign
🎉 Starting today, I'll share a DAILY TIP on
🔥 20+ #NodeJS CLI best practices
✅ Follow me to get [opinionated] tips on building successful commandline applications
RT for reach
#CLI #commandline #protip #CLI2020
5
41
69
Which of these 10 best practices for building Docker container images for your Node.js applications are you not following...?
3
23
64
5,478
Hi folks 👋
A lot of you have been asking me about getting started in open source so I'm going to shortly call out a few resources that help getting started in this journey.
There are several helpful guides but I think >>
3
14
66
11,871
Woah, so, I'm publishing a new book 🚀🎁
Preorder 👉 nodejs-secure-coding.lemonsq…
It's Friday so we can raise a toast to the book's pre-order ;-)
This book is going to teach you about Command Injection vulnerabilities in Node.js
p.s. apply the LAUNCHYAY25OFF coupon gift
7
11
63
11,072
Welcome to Consumer Driven Contracts 🎉✍️
- You suffer from backend /frontend APIs breaking changes?
- How do you allow future API changes to be backward compatible?
This is the topic of the CDC Testing Design Pattern
/1 Let's dive in for an introduction 🧵
4
15
64
Often #DevRel folks deter from "booth duty" because, granted, it is not only tiring to be on your feet for an entire day, but you often repeat yourself.
However, the input *you* receive from attendees new to your product is priceless. Developer Advocates should embrace it
9
4
62
🚨 PSA: Zod is currently vulnerable across ALL VERSIONS to a Regular Expression Denial of Service: security.snyk.io/vuln/SNYK-J…
A pull request is awaiting a to be merged for a new npm package release to get published but until then I advise monitoring closely
5
14
64
20,847
📢 Call for open-source contribution
If you didn't yet contribute to open-source projects,
and you want to submit a Pull Request to the @npmjs CLI,
I have something really easy for you!
My hope is to inspire you to participate in the open-source community. Are you in? 🤓
12
19
62
I'm looking for reviewers who'd be interested in reading up on a book I wrote about learning HTTP Security Headers
✅ It covers the basics in a guided fashion
✅ Technical reviewers
✅ Don't know about this? excellent, I'm interested in your feedback
Who wants an invite?
49
10
64
New Node.js feature is environment variables support
You can keep using dotenv, or you can remove it and spin up Node.js with --env-file=./.env and it will automatically populate your `process.env`
ALT New Node.js feature is environment variables support You can keep using dotenv, or you can remove it and spin up Node.js with --env-file=./.env and it will automatically populate your `process.env`
6
14
63
4,481
Next week,
I am going to interview GitHub CEO, Thomas Dohmke 😍
What would you ask him?
10
2
64
6,243
