Conductance 0.5 and a security fix

September 26, 2014 by Tim Cuthbertson

The bad news first:

Just after cutting a new 0.5.0 release of Conductance, we discovered a security issue in all versions of Conductance which allows a remote attacker to execute arbitrary code on a server which publishes an .api module, by exploiting custom object marshallers.

0.5.1 includes a fix for this issue, and we've also pushed out an 0.4.2 release for everyone using 0.4. The 0.4.2 release simply disables the custom marshalling feature, since it's only needed in advanced cases - if you do need to use custom marshalling and you can't upgrade to 0.5, please get in touch and we'll help you out.

The better news

.. is that, as you may have gathered, we've just release Conductance 0.5, as well as StratifiedJS 0.19.

You can see the full details in the relevant changelogs (Conductance / StratifiedJS), but some notable changes include:

  • mho:observable has moved to sjs:observable
  • better error handling for surface mechanisms
  • improved cleanup / retraction on process exit
  • a local documentation browser route which can include your own custom hubs
  • improvements to systemd integration
  • additional nodejs modules (rimraf, mkdirp, tempfile)
  • useful additions to the sjs:nodejs/fs and sjs:nodejs/stream modules

If you've installed directly from, you can update by running conductance self-update.

If you haven't yet installed Conductance, head over to the Conductance Introduction page to get started.