Liran Tal is an AI security researcher and Node.js security expert focusing on securing agentic AI workflows, MCP, and software supply chains through research, education, and open-source work.
222 articles from this blog
Analyzes security risks from indirect dependencies in Angular and React boilerplate projects, comparing vulnerability counts and license issues.
A technical comparison of built-in security features and secure coding practices in React and Angular frameworks.
Analysis of widespread jQuery XSS vulnerabilities affecting 84% of websites, detailing version risks and vulnerable libraries.
Analysis of the 2019 State of Open Source Security Report, focusing on Node.js and npm vulnerabilities like Path Traversal and ReDoS.
A developer shares their experience attending JSConf Budapest, highlighting the talks, people, venue, and personal reflections on the event.
Essential npm security best practices to protect against malicious packages, including ignoring run-scripts and vetting third-party modules.
A guide to improving Jest test clarity by refactoring assertions and using custom error messages for better debugging.
npm registry hits 1 million packages. Analysis of top packages, vulnerabilities, and download statistics.
Learn how to prevent secrets like SSH keys and API tokens from being leaked into your final Docker images using multi-stage builds and secrets management.
Explains the security and performance differences between Docker's COPY and ADD commands, recommending COPY for safer image builds.
A guide on implementing Docker security best practices for Node.js, focusing on using non-root users to minimize attack surfaces.
Analysis of a malicious backdoor discovered in the popular bootstrap-sass Ruby gem, its impact, and essential security best practices for developers.
A guide to implementing Consumer-Driven Contract Testing with Pact to prevent API breakage in Service Oriented Architectures.
Learn how to use npm outdated and npm doctor commands to assess your project's dependency health and environment setup.
Explains the risks of inconsistent package lockfiles in npm/Yarn and how to enforce strict dependency installation using `npm ci` or `--frozen-lockfile`.
Explains how to prevent accidentally publishing secrets like API keys to the npm registry, covering .npmignore, package.json files, and dry-run.
Analysis of JSHeroes 2019 conference CFP data, revealing submission patterns and workshop details for the JavaScript event.
Analyzes security risks in npm package installation, highlighting the dangers of arbitrary code execution and advocating for cautious dependency management.
Highlights from the Node.js Security WG's January 2019 meeting, covering bounty programs and vulnerability database improvements.
A detailed analysis of the malicious event-stream npm package backdoor, its timeline, and the social engineering attack that led to its inclusion.
