SES vs known vulnerabiliies

npm maintains a list of vulnerabilities found in JavaScript packages. Among other things, this work feeds npm audit

One idea that might make the JS community discover/realize the benefits of SES could be to announce something along the lines of:

running node -r esm code.js instead of node code.js, it solves 40% of known npm vulnerabilities out of the box

“40%” is obviously completely random at this stage. It’s my best guess for now

To move away from guess to something reasonnably significant, it would take:

  • take a random sample of known vulnerabilities
  • reproduce the vulnerability
  • figure out whether it goes away with SES out of the box (or with how much additional work)
  • report back the finding
  • accumulate results

The bigger the random sample, the more accurate the number

1 Like