secnull
systems nominal feed · live 14:23 UTC
8
audits
0
open cve
homedispatch 112
updated apr 22 · 08:14 utc
secnull://console uptime apr 25 14:23 UTC
secnull@console:~$ status --all
[ok] systems nominal · 8 audits · 0 sponsorships
[feed] streaming from 32 upstream repos
secnull@console:~$ today
lead dispatch: a featured audit · verdict published
new audit: passport-openidconnect · C
re-review: zitadel/oidc · A
secnull@console:~$ // scroll, or open menu (esc to close)
— lead dispatch   ·   iam   ·   18 min read

The silent privilege-creep in three popular OIDC libraries — and why your staging cluster already leaked.

We audited passport-openidconnect, openid-client, and auth0-spa-js against the full OAuth 2.1 threat model. Two shipped mitigations we couldn't verify. One quietly disabled at_hash validation in v4.2. Here's the tape.

HK
Hana Kellerman & Desh Patel
staff reviewers · published 08:14 UTC
read the audit
verdict C
passport-openidconnect mitigations unverified
loc reviewed8412
findings3 high · 6 med · 5 low
maintainer responsepartial, 11d
supply-chain riskmoderate
recommendedwith hardening
auth
crypto
supply
docs
8
audits published
+6 this week
32
packages tracked
ecosystems: npm · pypi · cargo · go
0
open CVE being watched
awaiting upstream patches
B+
ecosystem trust index
refreshed weekly
0
sponsored verdicts
ever · audit our funding →
— recent audits

this week, we read.

all audits
A
zitadel/oidc iam maintainedgo 1.22+

A careful implementation that earns its reputation.

zitadel/oidc's minimal attack surface, exhaustive test coverage against the RFC 6749 corpus, and a maintainer who replies on weekends make it our first recommendation for new Go projects.

apr 21 · 22 min read · desh patel
94/100
12-mo score
D
express-session@1.17.3 web stale3 high

Default configuration still leaks session fixation vectors in 2026.

The module is functional but its defaults belong in a museum. We document 3 practical CSRF variants that survive typical middleware stacks. Migrate, or harden aggressively.

apr 19 · 34 min read · hana kellerman
41/100
12-mo score
B
age-encryption/age crypto audited v1.2

The quiet, correct answer to 'how do I encrypt this file?'

age has a small surface, honest documentation, and a scheme that has survived real-world use. Our only gripe is key-file ergonomics — an interface problem, not a cryptographic one.

apr 17 · 18 min read · noor siddiqui
82/100
12-mo score
B
lucia-auth@3.2 iam recommended

Session handling sharpened since 3.0.

lucia-auth ships a well-documented threat model and defaults that embody it. A mid-release scope change introduced one rough edge around adapter contracts; otherwise, read the code and sleep well.

apr 12 · 15 min read · desh patel
87/100
12-mo score
— beats

what we cover

01
IAM & Auth
OIDC, SAML, session handling, passkeys, the machinery that decides who you are.
0 audits
02
Cryptography
Primitives, protocols, key handling. We trust math; we verify libraries.
0 audits
03
Supply chain
Packaging, signing, transitive trust, and the subtle art of typo-squatting.
0 audits
04
Privacy & surveillance
Telemetry, fingerprinting, the anti-patterns that make users the product.
0 audits
05
Infra & runtime
Container escape, sandbox correctness, and where your threat model meets its end.
0 audits
06
Web platform
Session handling, CSRF, CSP, the daily surface everyone ships.
0 audits
— manifesto, §2

Security is not a product. It is a relationship between authors, maintainers, packagers, and the engineers who trust them by accident every morning.

secnull exists because that trust is usually misplaced — and because refusing to name names is a kind of complicity we can no longer afford.

— the secnull collective, 2024 read the full charter