JavaScript frameworks security report 2019

🔘Angular contains twenty three security vulnerabilities in its legacy AngularJS project (Angular v1.x).

🔘 Both React and Angular module ecosystems exhibit security vulnerabilities in highly popular frontend library components spanning millions of downloads, some of which have no security fix available to date.

🔘No security vulnerabilities were identified in the core Angular framework components.

🔘We have witnessed malicious modules impacting both the Angular and the React ecosystems with an attempt to harvest credit cards, passwords and other sensitive information used in frontend web applications.

🔘React has a few security vulnerabilities; vulnerabilities seem to be regularly found in its core libraries and disclosed every couple of years.

🔘The Next.js framework exhibited a great commitment to security by swiftly addressing all five vulnerabilities found throughout the lifetime of their project, offering fixes within just one week.

🔘Only one React core project vulnerability has an official CVE assigned. None of the reported Angular vulnerabilities are listed by CVE at all. Together, these prove the need for a vulnerability database that taps into open source community activities, in order to surface relevant security issues.

🔘Snyk reports twenty six security vulnerabilities across Angular and React core projects, which npm audit falls short of in its reports.

🔘Angular has visible and attainable security guidelines, a security contact and a responsible disclosure policy, all of which are missing from the React project.

🔘jQuery was downloaded more than 120 million times in the last 12 months and according to W3Techs, jQuery v1.x is used in 84% of all websites using jQuery, which have four medium severity XSS vulnerabilities affecting it. In fact, if you’re not using jQuery v3.4.0 and above, which is true for the majority of jQuery users, then you are using a version that includes security vulnerabilities.

🔘Angular has broader built-in support for data sanitization and output encoding in different contexts such as URL attributes in HTML anchor (or, link) elements.

🔘Bootstrap has been downloaded 79,185,409 times in the past twelve months, all while containing seven Cross-Site Scripting (XSS) vulnerabilities. Three of these were disclosed in 2019. Notable community modules such as

bootstrap-markdown

have more than 300,000 downloads in the same time frame, despite having no security fix or upgrade path to its XSS vulnerabilities.

bootstrap-select

features more than two million downloads and has a high severity XSS vulnerability that the Snyk research team surfaced with the help of their proprietary threat intelligence system.

🔘React doesn’t have built-in controls for data sanitization, but rather encodes output by default in most cases and leaves it up to developers to address unhandled cases such as refs and URL attributes (the latter of which is addressed in the React v16.9.0 release).

🔘The Vue.js framework has been downloaded more than 40 million times this past 12 months and records

four vulnerabilities in total for Vue.js core

, all of which have been fixed.

🔘Angular includes support for Cross-Site Request Forgery (CSRF) vulnerabilities with a built-in security mechanism in its HTTP service. React developers need to address these issues independently.