🧠 AI Security & securing agentic coding LLM w MCP serves 🦄 Node.js Secure Coding 🌟 @GitHub Star 🏅 @OpenJS Pathfinder award for Security 🥑 DevRel @snyksec

OH WOW😍 I received the GitHub Stars Award 2021 🌟 Thank you so much @github and everyone for the support and the recognition This means so much to me ❤️ #OpenSource #GitHubStars
25
3
220
Me and TypeScript every single time nitter.app/ciksgibiyim/status/171…
58
341
3,371
487,723
Hands up if you were a Visual Basic coder! 👋
280
115
2,159
almost 2 decades of doing open source 🤯
119
73
1,822
118,028
Rule #7 of SQL: Developers rejecting ORMs are doomed to end up building them
In the next version of Bun bun:sqlite supports query.as(Class) to attach methods & getters/setters to query results
39
62
952
139,650
You're transferring way too much data over that cable
3
1
657
140,857
hits in the feels
3
76
539
Deno is Rust based, right? Goes to show that there's so much more involved than just "choosing Rust cause performance you know" 🤷‍♂️
Running `select * from users limit 100` in batches of 100: Bun 1.2: 50k q/s Node 23.6.0: 14k q/s (postgres.js) Deno 2.1.6: 11k q/s (postgres.js)
26
16
553
131,814
So many blogs and tutorials showing poorly optimized and insecure ways of building Node.js docker images 😟 I'm putting together an optimal NodeJS Docker guideline 🐳 Step by step, explaining the rationale of Dockerfile directives ✅ Follow and stay tuned for more details
18
53
457
I got recognized as a GitHub Star for 2022 ⭐😊 It means a lot to me and I'm thankful for being able to educate and inspire other developers about open source and developer security. Much gratitude to all of you who support and collaborate with me ❤️ And thank you, @GitHub.
58
11
426
Who needs to skill up on their Node.js security skills? I have a freebie giveaway for ya 😉🎁 Giving away my book: "Essential Node.js Security for Express" 1 Follow @liran_tal 2 Retweet, like or comment 3 I'll DM you a free download link for the book
112
158
363
62,047
IT'S FINALLY RELEASED 😲🚀 Best practices to containerize Node.js web applications with Docker 🐳🙌 ✅ A comprehensive step by step guide ✅ 10+ production-grade best practices ✅ Deploy NodeJS apps securely! 👉 snyk.io/blog/10-best-practic… @NodeJS & @Docker security FTW
11
101
313
Here's a secret GitHub power tool Did you know that you can navigate and create directories from within the GitHub UI if you just terminate each file with a forward slash / ? 🤯 You're welcome :-)
5
57
296
👋😍 ANNOUNCING my new Node.js book! eval, new Function, the Node.js vm module? Nah, Start by adopting secure coding practices 🔮 Learn how to avoid Code Injection in JavaScript 📌 May 15th, 2024 release 🎁 PreOrder now at 70% discount! nodejs-security.com/book/cod…
26
89
263
75,520
Deno didn't want to do package.json so they ended up inventing deno.json. Did I get it right?
17
4
249
61,981
Exciting news! I am thrilled to receive the #GitHubStars 2023 Award 🌟 It's an honor to be part of a community that's committed to open source and security. Thank you @GitHub for recognizing my contributions. Let's keep building great things together! 🚀
39
10
243
17,513
Wes is great, Bun is great. I'm sure to Wes the security vulnerability in this code is clear but if you're not Wes, please *do not* follow this pattern 1:1 💣 >>
👌 this Bun API is so nice. Write to file by passing it a fetch Response. No fussing with piping streams, concatenating chunks or checking that a folder exists first.
12
6
221
150,502
true story - a colleague from another team came over to consult about Node.js stuff & I was totally psyched about her coming over. I actually had to express what was so funny about the situation for other colleagues to understand 😀 You guys get it, right?
13
13
223
are you even old enough
26
15
217
15,092
Replying to @barzik
כל הבילד הזה של הכתובת רק כדי לקבל את זה
8
203
Thanksgiving is just the perfect time to share the news on receiving the GitHub Stars Award 2021 🌟 Feeling very thankful, blessed, and humbled ❤️🤗 #GitHubStars
19
4
201
Super honored to receive this formal nomination to the @GitHub Stars program for all of my opensource work😊❤️✨ Thank you so much for everyone who supported me and enabled me to be part of their open source projects ❤️
15
10
189
Replying to @sarah_edo
main reason to use it is their slogan! 😉
1
15
179
Psyched! I've been recognized as a GitHub Star 🌟 It's an incredible honor to receive this recognition and be awarded to the GitHub Stars program, but most of all to thank you all who shared the journey with me ❤️ stars.github.com/profiles/li… There's a lot to reflect on... thread⬇️
21
7
180
This is the way
5
14
168
BIG BIG NEWS!! I am literally ELECTRIFIED to join @snyksec's awesome team as a Developer Advocate and evangelize @nodejs security full time 🔥🥑 I need to dearly thank @sjmaple @adrukh @grander & @guypod for just about everything in making this move. Thank you so much! ❤️❤️❤️
27
10
165
oh wow, there's a Copy as Markdown option in Google Docs!!!
12
11
175
393,938
| ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄| Thank a Maintainer ❤️ |___________| \ (•◡•) / \ / --- | |
12
30
159
36,580
🚨 BREAKING ⚠️ The colors@1.4.1 npm package has an offending infinite loop code and is deemed vulnerable to Denial of Service This continues the fallout of the Faker.js package of open source maintainer Marak The story and what you should do: snyk.io/blog/open-source-mai…
11
59
141
I'M HIRING 👋😍 1. Python Developer Advocate 2. .NET Developer Advocate 3. Cloud Native Developer Advocate 4. Developer Acceleration Embark on a mission of helping developers levelup their application security game? DM me 😉 #hiring #appsec #devrel
11
73
163
One amazing thing about @nodejs is that you can swap out many surplus packages for native Node.js support and reduce your reliance on direct and indirect third-party dependencies by a large sum
7
16
152
26,326
。 ☆ 。  ☆。  ☆ 。 ☆。 \   |   /。 ☆ every engineer is a security engineer ☆。 /  |  \。 ☆ 。  ☆。  ☆ 。  ☆。 。
4
14
125
If you fancy building your next Node.js microservice in a different style of frameworks than Express and Fastify, check out this intro to NestJS: amplication.com/blog/working…
6
25
135
13,203
Apologies that my posts and replies have become tech off-topic. I've been a bit busy empathizing with the genocide of my people. Stay safe and I wish you peace wherever you are ❤️
13
3
133
8,530
Heard of @bunjavascript? I'm launching the Bun Security course: bunsecurity.dev/ ✔︎ Teaches you Securely using Bun API ✔︎ Teaches you secure coding conventions ✔︎ Book + online course ✔︎ You'll learn Path Traversal, Code Injection, Prototype Pollution and more!
5
33
126
15,622
the entire story of the Express Node.js web framework in one picture
15
9
120
47,694
Replying to @jasnell
Successfully built an app with no user input 👏
2
123
9,775
big thank you to all Node.js contributors and the Node.js documentation team! I visit the official @nodejs API docs very often and it's always such a pleasure to consult with. #NodeOfAppreciation ❤️
20
123
hugging face is the new github
11
10
105
26,371
היי @EllaTravelsLove קודם כל קחי 👑, נפל לך שנית, אני מכתב את ההאקר חלל @bararchy ונשמח לעזור. מניחים שאת מוצפת במשימות אז תרגישי בנוח לחבר אלינו מי שעובד איתך ויכול לתת לנו רקע שנדע איך לעזור.
Replying to @EllaTravelsLove
חברים פתרונות כמו תפתחי תיקייה בדרייב או גיליון אקסל אלו דברים שאני יכולה לעשות לבד. תודה בכנות על העצה והכוונות שלכם זהב טהוא אבל אני צעד אחד קדימה - אני צריכה פה ייעוץ של אבטחת מידע מחשש שאפתח דרייב ויפילו לי אותו מי שיש להם אינטרס שהדברים לא יהיו קיימים. מומחי אבטחת מידע שיסייעו לי עם פתרון אחסון מאובטח. תודה תודה תודה
4
3
102
7,263
In native Node.js core (LTS) You can now (for a while actually) use the native Node.js test runner and completely ditch jest and friends
6
15
98
8,953
Squash, because all of your carefully hand-made commits are saved at the pull request level, and what we care about when we review a main line of development, i.e trunk, is the actual purpose of the commit, and not the story that lead to the commit.
2
2
105
Who is hiring in #tech right now? Let's start a thread for folks
50
28
96
Replying to @jarredsumner
Counter-argument: using tagged template doesn't automatically infer you are using safe and secure parameterized statements 🤷‍♂️ The reason: without looking at the code implementation you don't know if it is doing client-side escaping or utilizing the driver's database engine
6
96
8,305
Hands if you were taking care of your electronics this good in your childhood 👋
15
1
98
❤️ Reasons to Love Jest: The Test Framework I enjoy writing tests, but Jest takes it to a whole new level. The first of several posts on @fbjest medium.com/@liran.tal/reason… cc @cnakazawa @aaronabramov_ @kentcdodds @gautam @BenedekGagyi
1
21
91
🔥BREAKING 🎉JavaScript Frameworks Security report 2019 🎉 I'm excited to share that I published on the @snykseec blog a comprehensive analysis of: ✅ Comparing Angular & React security practices and vulnerabilities ✅ Vue.js, jQuery & Bootstrap too! snyk.io/blog/javascript-fram…
2
51
87
was finally able to take a picture of @rauchg's office setup
9
1
93
5,822
Your weekly reminder that #code you write is not code you ship Ive been using this slide since forever in my security talks because it's an eye opener, not that you didn't know it before, but we often forget this simple fact. embrace security early #nodejs #javascript #security
4
44
90
✨ I'm setting up a curation of #NodeJS Security related resources at github.com/lirantal/awesome-… Everything in between tools, research papers, hacking playgrounds. Star it, and submit a Pull Request as I'm sure there's much more to add. @nodejs @mhdawson1 @poledesfetes @pxlpnk
4
49
91
Replying to @EllaTravelsLove
BLM groups and other underrepresented groups and minorities, be true to yourself in asking if you'd be safe in Gaza with Hamas in power or in Israel? #حماس_هي_داعش #حرروا_فلسطين_من_حماس #therealimage #hamasisISIS #FreePalestineFromHamas
16
28
90
7,162
You mindlessly post #FreePalestine like a propaganda pamphlet without even understanding what it stands for: 🩸Founded on antisemitism 🩸Grounded in violent militant forces 🩸Calls for the annihilation of Jews and Israel state
10
35
91
7,302
just another day of working on a Node.js project. today it is fastq.
1
8
90
11,723
I'm launching a new book 😍🚀 Looks nice? Let me know what you think, ask anything, or just ping me if you want a 25% OFF to get in on the preorder
10
11
83
9,225
Always remember, when you use open-source software, there's someone out there who is working on it, free of charge, selflessly, in unusual hours and unusual places. And you get it all for free. Thank you Matteo ❤️🤗
Life of maintainer: working on a security release for @nodejs (undici) after landing in London for the collab summit. Hopefully I’ll finish before dinner in 1 hour!
4
7
84
3,442
^ for context:
I 💜 French trains. They are my favorite kind of nomad office. 🚄👨‍💻🐄🌳
3
1
81
Hands up if you owned one of these or was craving for one ! 👋
13
79
look at all of these lovely attack vectors that the HTML spec is enabling :-) #bugbounty
3
13
79
Replying to @flaviocopes
Squash commits in a PR is all you need. Simple and clean.
3
83
6,543
an interesting read about the prevalence of npm and JavaScript packages in (long?) running docker containers and the vulnerabilities bundled in them. Research paper: researchgate.net/publication…
4
20
76
Node.js Meetup in Tel Aviv. Amazing turnout. One could be confused this is a mini conference 🙌
4
4
76
JavaScript is amazing
5
2
72
14,098
| ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄| Security is not an afterthought |_____________| \ (•◡•) / \ / —— | | |_ |_
6
8
69
9,237
STORY OF MY LIFE
1
6
75
5,360
reviewed this morning @mattpocockuk's 2025 update on How to Create an NPM Package along with my ☕ It found a bug in one of my TypeScript projects and a couple of things I picked up 👇🧵
3
4
78
13,319
What is item.name? Is it coming from user input? Is it sanitized before hand? What happens if it includes path traversal characters like ../ ? General security practice: - Never concatenate string input to sensitive APIs
3
68
6,941
Playwright's on top for trending testing tools in 2022, makes a lot of sense
6
8
71
7,478
26 least favorite things in #DevRel 🥑 🙈 1️⃣ Product marketers do not understand developer outreach and don't validate their messaging frameworks with developer advocates, which results in ineffective marketing (by @tessak22)
3
29
73
Node.js is wild. Buying a course for $20 could potentially lead to a career that earns you $100k+ per year. It still blows my mind how many people are sleeping on this. 😅
15
4
73
/1 🚨 mega-thread on exploiting MCP servers via prompt injection, buckle up 👇
5
25
76
11,438
I'm sorry you have to go through this, Yoni. It has antisemitism all over it. I hope I'm wrong and this will clear up. Hang in there and ping if we can help support you. Most importantly, stay safe ❤️
1
4
69
8,103
don't judge yourself too harsh an AI company valued at tens of trillions of dollars designed an API that nests data under `response.data.data[0]`
7
7
68
9,322
"this feature shouldn't introduce any security risks"
5
6
67
As if people in Gaza don't have it bad enough with Hamas terror org' in their elected government, they're now suffering direct consequences of rocket misfire on a hospital fired by Jihad, another terrorist group within Gaza Palestinians I'm sorry and urge you to take a stand ❤️
5
5
71
3,133
Fresh and ready for travel
6
69
2,769
🔥 Node.js CLI best practice 4 of 20 ✅ Use colors in your CLI app to highlight & structure output, but provide a graceful degradation ❌ Otherwise: information may easily get lost in pale program output especially w/ text-heavy Follow for more! #commandline #protip #CLI2020
3
16
64
Rule two of devrel: always sit first row and share many nods, smiles and reactions to the speaker, it helps boosts their confidence. I learned that first time in the JSHeroes conference which is known for its loving and supportive community.
Rule one of devrel: Support others and don't troll, especially when they're on stage
5
12
67
13,792
I was trying to be clever but then @addalex has to go and implement worker threads for @nodejs 😆 if this interests you there's nodejs.org/api/worker_thread… to get you started and we'd be happy to get feedback and input from you! #nodejs #javascript
20
64
Having a good GitHub profile is underrated
9
2
67
Besides npm install, what else causes global warming?
29
9
64
📣 Announcing February 2020 campaign 🎉 Starting today, I'll share a DAILY TIP on 🔥 20+ #NodeJS CLI best practices ✅ Follow me to get [opinionated] tips on building successful commandline applications RT for reach #CLI #commandline #protip #CLI2020
5
41
69
Which of these 10 best practices for building Docker container images for your Node.js applications are you not following...?
3
23
64
5,478
what it's like when you install npm packages without --ignore-scripts:
4
3
64
Hi folks 👋 A lot of you have been asking me about getting started in open source so I'm going to shortly call out a few resources that help getting started in this journey. There are several helpful guides but I think >>
3
14
66
11,871
Woah, so, I'm publishing a new book 🚀🎁 Preorder 👉 nodejs-secure-coding.lemonsq… It's Friday so we can raise a toast to the book's pre-order ;-) This book is going to teach you about Command Injection vulnerabilities in Node.js p.s. apply the LAUNCHYAY25OFF coupon gift
7
11
63
11,072
Remember to upgrade to Node.js 20 as the new Long Term Support Bye bye Node.js 18!
2
8
62
15,102
2022, 2nd week what can possibly go wrong
9
6
64
Welcome to Consumer Driven Contracts 🎉✍️ - You suffer from backend /frontend APIs breaking changes? - How do you allow future API changes to be backward compatible? This is the topic of the CDC Testing Design Pattern /1 Let's dive in for an introduction 🧵
4
15
64
Often #DevRel folks deter from "booth duty" because, granted, it is not only tiring to be on your feet for an entire day, but you often repeat yourself. However, the input *you* receive from attendees new to your product is priceless. Developer Advocates should embrace it
9
4
62
🚨 PSA: Zod is currently vulnerable across ALL VERSIONS to a Regular Expression Denial of Service: security.snyk.io/vuln/SNYK-J… A pull request is awaiting a to be merged for a new npm package release to get published but until then I advise monitoring closely
5
14
64
20,847
📢 Call for open-source contribution If you didn't yet contribute to open-source projects, and you want to submit a Pull Request to the @npmjs CLI, I have something really easy for you! My hope is to inspire you to participate in the open-source community. Are you in? 🤓
12
19
62
I'm looking for reviewers who'd be interested in reading up on a book I wrote about learning HTTP Security Headers ✅ It covers the basics in a guided fashion ✅ Technical reviewers ✅ Don't know about this? excellent, I'm interested in your feedback Who wants an invite?
49
10
64
New Node.js feature is environment variables support You can keep using dotenv, or you can remove it and spin up Node.js with --env-file=./.env and it will automatically populate your `process.env`
6
14
63
4,481
Hi everyone and welcome to my talk 🙈
3
5
62
2,413
Next week, I am going to interview GitHub CEO, Thomas Dohmke 😍 What would you ask him?
10
2
64
6,243
Just.... don't do this 🤦‍♂️
9
1
63
npm install vacation
9
64
2,848