JavaScript frameworks security report 2019

Hi there 👋

I was intrigued in the answers for the below:

• the security practices for each of the two different core projects, both Angular and React
• the state of security of each of the two different module ecosystems, based on an in-depth look at the vulnerabilities contained in each of the ecosystems
• the security practices for other common JavaScript frontend framework alternatives such as Vue.js, Bootstrap and jQuery
• the significant security differences between the different alternatives, and particularly between Angular and React JavaScript frameworks security report 2019 key takeaways

Following are key takeaways from a recent report I ran about JavaScript security and its findings for Angular vs. React core project security:

• Angular contains twenty three security vulnerabilities in its legacy AngularJS project (Angular v1.x).

• No security vulnerabilities were identified in the core Angular framework components.

• React has a few security vulnerabilities; vulnerabilities seem to be regularly found in its core libraries and disclosed every couple of years.

• Only one React core project vulnerability has an official CVE assigned. None of the reported Angular vulnerabilities are listed by CVE at all. Together, these prove the need for a vulnerability database that taps into open source community activities, in order to surface relevant security issues.

• Snyk reports twenty six security vulnerabilities across Angular and React core projects, which npm audit falls short of in its reports.

Following are key takeaways from the report’s findings for Angular vs. React module ecosystem security:

• Both React and Angular module ecosystems exhibit security vulnerabilities in highly popular frontend library components spanning millions of downloads, some of which have no security fix available to date.

• We have witnessed malicious modules impacting both the Angular and the React ecosystems with an attempt to harvest credit cards, passwords and other sensitive information used in frontend web applications.

• The Next.js framework exhibited a great commitment to security by swiftly addressing all five vulnerabilities found throughout the lifetime of their project, offering fixes within just one week.

A word about CVE and security vulnerabilities

In order to investigate the overall security posture of each of the ecosystems included in this report, amongst the factors we discuss are security vulnerabilities identified in the different relevant packages. We review and discuss these vulnerabilities on the landscape of, and sometimes in comparison to, known vulnerabilities.

Known vulnerabilities have been assigned an identification number in the list of Common Vulnerabilities and Exposures (CVEs) maintained by the CVE Numbering Authorities (CNAs). CVEs are assigned CVSS scores that provide insight into how severe the listed vulnerabilities are. Learn more about how the severities of vulnerabilities are scored via their CVSS here.

Angular vs. React security posture

• Angular has visible and attainable security guidelines, a security contact and a responsible disclosure policy, all of which are missing from the React project.

• Angular has broader built-in support for data sanitization and output encoding in different contexts such as URL attributes in HTML anchor (or, link) elements.

• React doesn’t have built-in controls for data sanitization, but rather encodes output by default in most cases and leaves it up to developers to address unhandled cases such as refs and URL attributes (the latter of which is addressed in the React v16.9.0 release).

• Angular includes support for Cross-Site Request Forgery (CSRF) vulnerabilities with a built-in security mechanism in its HTTP service. React developers need to address these issues independently.

Frontend ecosystem security

• jQuery was downloaded more than 120 million times in the last 12 months and according to W3Techs, jQuery v1.x is used in 84% of all websites using jQuery, which have four medium severity XSS vulnerabilities affecting it. In fact, if you’re not using jQuery v3.4.0 and above, which is true for the majority of jQuery users, then you are using a version that includes security vulnerabilities.

• Bootstrap has been downloaded 79,185,409 times in the past twelve months, all while containing seven Cross-Site Scripting (XSS) vulnerabilities. Three of these were disclosed in 2019. Notable community modules such as bootstrap-markdown have more than 300,000 downloads in the same time frame, despite having no security fix or upgrade path to its XSS vulnerabilities. bootstrap-select features more than two million downloads and has a high severity XSS vulnerability that the Snyk research team surfaced with the help of their proprietary threat intelligence system.

• The Vue.js framework has been downloaded more than 40 million times this past 12 months and records four vulnerabilities in total for Vue.js core, all of which have been fixed.

I invite you to continue reading the Angular vs React: Security Bakeoff 2019 or download the full report.

• Angular vs React: Security Bakeoff 2019
• 2019 Side by Side Comparison of Angular and React Security Vulnerabilities
• Angular vs React: The Security Risk of Indirect Dependencies
• Comparing React and Angular Secure Coding Practices
• 84% of all websites are impacted by jQuery XSS vulnerabilities

This report reviews the overall security of each framework, their community-powered module ecosystems and the associated security risks with each; based on these insights, this report ultimately provides actionable security advice for Angular and React users by highlighting best security practices employed in the field in order to ensure secure code.