Nodejs articles

HOT TAKE

shell-quote CVE-2026-9277: newline slips past regex

May 24, 2026Security

shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.

BRIEF

vm2 ships 12 critical CVEs: the Node.js sandbox is out again

May 11, 2026Sysadmin Craft

12 CVEs in vm2 disclosed May 7, 2026 — CVSS 9.1-10.0, all sandbox escapes. Patched in 3.11.2. If you run untrusted code under vm2, update today.

Nodejs

Articles tagged Nodejs

shell-quote CVE-2026-9277: newline slips past regex

vm2 ships 12 critical CVEs: the Node.js sandbox is out again