Rebuilding OWASP/NodeGoat from scratch would cost roughly £278,233. Security holes, complexity and AI slop are compounding. Every feature shipped on top of this makes the fix more expensive.
Fixed scope. The deposit secures your slot — full quote before any work starts.
What This Software Does
NodeGoat is an intentionally vulnerable web application created by OWASP (a respected web security organisation) as a training tool. It is designed to teach developers how to identify and fix the top 10 most common web security risks in Node.js applications. It is not a production business application — its purpose is education and security training.
Overall Health
Because this is a deliberately insecure teaching tool, its health metrics must be understood in that context. That said, the codebase is relatively small (~13,000 lines), and many of the vulnerabilities present are intentional features of the training environment. The dependency list is significantly outdated, with 422 packages, many of which are old and unmaintained. The "Slop Index" score of 100/100 (worst possible) indicates the code is not following modern best practices, which again aligns with its educational purpose.
Most Important Risks
The most serious concern is that this application should never be deployed on a public-facing server or used in a production environment. It contains 12 critical and 45 high-severity security vulnerabilities across its third-party components — including weaknesses in core libraries that handle file processing, data parsing, and user input. If accidentally deployed in a real environment, it would be trivially easy for an attacker to compromise. The outdated dependencies (some dating back to 2015–2018) compound this risk considerably.
Top Recommended Actions
1. Enforce strict deployment controls — Ensure this application is only ever run in isolated, local, or sandboxed training environments, never on shared infrastructure or the public internet.
2. Update the dependency inventory — Even for a training tool, refreshing the 422 dependencies would reduce noise and ensure the intentional vulnerabilities remain the focus, rather than accidental ones introduced by outdated packages.
3. Add clear governance labels — Attach prominent documentation to the repository and any internal deployments explicitly stating this is a training tool, so it cannot be mistakenly treated as a deployable product.
AI Quotient rationale: AI could meaningfully modernise the outdated dependency stack, refactor repetitive route and data-access patterns, and add inline documentation, though the intentionally vulnerable code patterns must be preserved to maintain the tool's educational value.
This free report is the diagnosis. The audit turns it into a plan your team can act on — and on a sprint, I write the code myself.
| Component | Version | Ecosystem | License |
|---|---|---|---|
| /workspace/repo/.github/workflows/e2e-test.yml | unknown | ||
| /workspace/repo/.github/workflows/lint.yml | unknown | ||
| /workspace/repo/package-lock.json | unknown | ||
| actions/cache | v2 | github | unknown |
| actions/checkout | v2 | github | unknown |
| actions/checkout | v2 | github | unknown |
| actions/setup-node | v1 | github | unknown |
| actions/setup-node | v1 | github | unknown |
| actions/upload-artifact | v2 | github | unknown |
| abbrev | 1.1.1 | npm | ISC |
| accepts | 1.3.5 | npm | unknown |
| amdefine | 1.0.1 | npm | unknown |
| ansi-regex | 2.1.1 | npm | MIT |
| ansi-regex | 2.1.1 | npm | unknown |
| anymatch | 2.0.0 | npm | unknown |
| aproba | 1.2.0 | npm | ISC |
| are-we-there-yet | 1.1.5 | npm | ISC |
| arr-diff | 4.0.0 | npm | unknown |
| arr-flatten | 1.1.0 | npm | unknown |
| arr-union | 3.1.0 | npm | unknown |
| array-filter | 1.0.0 | npm | unknown |
| array-flatten | 1.1.1 | npm | unknown |
| array-unique | 0.3.2 | npm | unknown |
| assign-symbols | 1.0.0 | npm | unknown |
| async | 0.2.10 | npm | unknown |
| async | 0.2.9 | npm | unknown |
| async | 0.9.2 | npm | unknown |
| async | 1.5.2 | npm | unknown |
| async-each | 1.0.3 | npm | unknown |
| atob | 2.1.2 | npm | unknown |
| available-typed-arrays | 1.0.2 | npm | unknown |
| balanced-match | 1.0.0 | npm | MIT |
| balanced-match | 1.0.0 | npm | unknown |
| base | 0.11.2 | npm | unknown |
| bcrypt-nodejs | 0.0.3 | npm | unknown |
| binary-extensions | 1.13.1 | npm | unknown |
| bluebird | 3.5.3 | npm | unknown |
| body-parser | 1.18.3 | npm | unknown |
| brace-expansion | 1.1.11 | npm | MIT |
| brace-expansion | 1.1.11 | npm | unknown |
| braces | 2.3.2 | npm | unknown |
| broadway | 0.3.6 | npm | unknown |
| bson | 1.0.9 | npm | unknown |
| buffer-shims | 1.0.0 | npm | unknown |
| bytes | 3.0.0 | npm | unknown |
| cache-base | 1.0.1 | npm | unknown |
| caller | 0.0.1 | npm | unknown |
| camelcase | 1.2.1 | npm | unknown |
| camelcase | 2.1.1 | npm | unknown |
| camelize | 1.0.0 | npm | unknown |
| chokidar | 2.1.8 | npm | unknown |
| chownr | 1.1.1 | npm | ISC |
| class-utils | 0.3.6 | npm | unknown |
| cliff | 0.1.10 | npm | unknown |
| cliff | 0.1.9 | npm | unknown |
| cliui | 3.2.0 | npm | unknown |
| clone | 2.1.2 | npm | unknown |
| code-point-at | 1.1.0 | npm | MIT |
| code-point-at | 1.1.0 | npm | unknown |
| collection-visit | 1.0.0 | npm | unknown |
| Author | Commits | +Lines | -Lines | Score |
|---|---|---|---|---|
| ckarande | 112 | 652910 | 3624 | 3394.7 |
| Jesús Pérez | 13 | 620 | 626793 | 3150.1 |
| Liran Tal | 38 | 16888 | 1268 | 128.8 |
| Josep | 6 | 5641 | 6159 | 65 |
| Kim Carter | 35 | 1078 | 607 | 43.4 |
| Ulises Gascon | 23 | 2282 | 699 | 37.9 |
| Rob Cowsill | 23 | 1240 | 938 | 33.9 |
| fabre-pierre-jean | 2 | 2744 | 2066 | 26.1 |
| Ulises Gascon | 17 | 426 | 401 | 21.1 |
| Liran Tal | 11 | 46 | 22 | 11.3 |
| lucas jin | 9 | 88 | 90 | 9.9 |
| Ulises Gascón | 6 | 158 | 95 | 7.3 |
| Chetan Karande | 7 | 10 | 10 | 7.1 |
| Theba Gomez | 6 | 143 | 61 | 7 |
| Thomas Taschauer | 6 | 10 | 10 | 6.1 |