All njs security issues should be reported to

Patches are signed using one of the PGP public keys.

Special considerations

njs does not evaluate dynamic code and especially the code received from the network in any way. The only way to evaluate that code using njs is to configure the js_import directive in nginx. JavaScript code is loaded once during nginx start.

In nginx/njs threat model, JavaScript code is considered a trusted source in the same way as nginx.conf and sites certificates. What this means in practice: