We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
the state of javascript frameworks security report 2019
Open SourceApplication SecurityEcosystems

JavaScript frameworks security report 2019

Liran TalOctober 30, 2019

Welcome to Snyk’s State of JavaScript frameworks security report 2019.

In this report, we investigate the state of security for both the Angular and React ecosystems. This report by no means intends to venture into any rivalries that may exist between the two in terms of whether one or the other is a true framework – we are not comparing them as competitive frameworks at all. Instead, we review them each as viable frontend ecosystem alternatives for building your JavaScript projects, while focusing on security risks and best practices for each and the differences between them.

Download the Report here

We highly recommend to download the full version of the report in its digital format, but have also made the following general sections available as blog posts:

  • The state of JavaScript frameworks security report 2019
  • Angular vs React: Security Bakeoff 2019
  • 2019 Side by Side Comparison of Angular and React Security Vulnerabilities
  • Angular vs React: The Security Risk of Indirect Dependencies
  • Comparing React and Angular Secure Coding Practices
  • 84% of all websites are impacted by jQuery XSS vulnerabilities

This report covers:

  • the security practices for each of the two different core projects, both Angular and React
  • the state of security of each of the two different module ecosystems, based on an in-depth look at the vulnerabilities contained in each of the ecosystems
  • the security practices for other common JavaScript frontend framework alternatives such as Vue.js, Bootstrap and jQuery
  • the significant security differences between the different alternatives, and particularly between Angular and React

JavaScript frameworks security report 2019 key takeaways

Following are key takeaways from our report’s findings.

Angular vs. React core project securityAngular vs. React module ecosystem security
🔘Angular contains twenty three security vulnerabilities in its legacy AngularJS project (Angular v1.x). 🔘 Both React and Angular module ecosystems exhibit security vulnerabilities in highly popular frontend library components spanning millions of downloads, some of which have no security fix available to date.
🔘No security vulnerabilities were identified in the core Angular framework components.🔘We have witnessed malicious modules impacting both the Angular and the React ecosystems with an attempt to harvest credit cards, passwords and other sensitive information used in frontend web applications.
🔘React has a few security vulnerabilities; vulnerabilities seem to be regularly found in its core libraries and disclosed every couple of years.🔘The Next.js framework exhibited a great commitment to security by swiftly addressing all five vulnerabilities found throughout the lifetime of their project, offering fixes within just one week.
🔘Only one React core project vulnerability has an official CVE assigned. None of the reported Angular vulnerabilities are listed by CVE at all. Together, these prove the need for a vulnerability database that taps into open source community activities, in order to surface relevant security issues.
🔘Snyk reports twenty six security vulnerabilities across Angular and React core projects, which npm audit falls short of in its reports.

A word about CVE and security vulnerabilities

In order to investigate the overall security posture of each of the ecosystems included in this report, amongst the factors we discuss are security vulnerabilities identified in the different relevant packages. We review and discuss these vulnerabilities on the landscape of, and sometimes in comparison to, known vulnerabilities.

Known vulnerabilities have been assigned an identification number in the list of Common Vulnerabilities and Exposures (CVEs) maintained by the CVE Numbering Authorities (CNAs). CVEs are assigned CVSS scores that provide insight into how severe the listed vulnerabilities are. Learn more about how the severities of vulnerabilities are scored via their CVSS here.


Angular vs. React security postureFrontend ecosystem security
🔘Angular has visible and attainable security guidelines, a security contact and a responsible disclosure policy, all of which are missing from the React project.🔘jQuery was downloaded more than 120 million times in the last 12 months and according to W3Techs, jQuery v1.x is used in 84% of all websites using jQuery, which have four medium severity XSS vulnerabilities affecting it. In fact, if you’re not using jQuery v3.4.0 and above, which is true for the majority of jQuery users, then you are using a version that includes security vulnerabilities.
🔘Angular has broader built-in support for data sanitization and output encoding in different contexts such as URL attributes in HTML anchor (or, link) elements.🔘Bootstrap has been downloaded 79,185,409 times in the past twelve months, all while containing seven Cross-Site Scripting (XSS) vulnerabilities. Three of these were disclosed in 2019. Notable community modules such as bootstrap-markdown have more than 300,000 downloads in the same time frame, despite having no security fix or upgrade path to its XSS vulnerabilities. bootstrap-select features more than two million downloads and has a high severity XSS vulnerability that the Snyk research team surfaced with the help of their proprietary threat intelligence system.
🔘React doesn’t have built-in controls for data sanitization, but rather encodes output by default in most cases and leaves it up to developers to address unhandled cases such as refs and URL attributes (the latter of which is addressed in the React v16.9.0 release).🔘The Vue.js framework has been downloaded more than 40 million times this past 12 months and records four vulnerabilities in total for Vue.js core, all of which have been fixed.
🔘Angular includes support for Cross-Site Request Forgery (CSRF) vulnerabilities with a built-in security mechanism in its HTTP service. React developers need to address these issues independently.

Continue to read the Angular vs React: Security Bakeoff 2019 or download the full report.

  • The state of JavaScript frameworks security report 2019
  • Angular vs React: Security Bakeoff 2019
  • 2019 Side by Side Comparison of Angular and React Security Vulnerabilities
  • Angular vs React: The Security Risk of Indirect Dependencies
  • Comparing React and Angular Secure Coding Practices
  • 84% of all websites are impacted by jQuery XSS vulnerabilities

This report reviews the overall security of each framework, their community-powered module ecosystems and the associated security risks with each; based on these insights, this report ultimately provides actionable security advice for Angular and React users by highlighting best security practices employed in the field in order to ensure secure code.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom