Safeguard
Tag

javascript

Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.

54 articles

Application Security

ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS

A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.

Jul 16, 20266 min read
Best Practices

Writing your first Jest unit tests for security-critical JavaScript

Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.

Jul 12, 20267 min read
Best Practices

Mocking APIs for secure testing: MSW and json-server for error and auth flows

MSW intercepts requests at the network layer; json-server spins up a fake REST API in one command. Neither should ever touch a real backend or real credentials.

Jul 12, 20267 min read
Application Security

The security implications of Node.js worker_threads

Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.

Jul 12, 20266 min read
Security Guides

node-fetch Security Guide (2026)

node-fetch brought the browser fetch API to Node.js and became a near-universal HTTP client — and its two real CVEs, a redirect-based header leak and a size-limit bypass, are exactly the kind of subtle bug that ships to millions of apps.

Jul 8, 20266 min read
Security Guides

ReDoS: Regular Expression Denial of Service in JavaScript

A single bad regex can freeze your entire Node.js event loop on one malicious request. Here is how catastrophic backtracking works, how to spot vulnerable patterns, and how to fix them without rewriting everything.

Jul 8, 20266 min read
Vulnerability Management

Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation

crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.

Jul 8, 20266 min read
Application Security

Wiring dependency and SAST scanning into your JavaScript CLI workflow

npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.

Jul 8, 20267 min read
Security Guides

Axios Security Guide (2026)

Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.

Jul 7, 20266 min read
Security Guides

Node.js Docker Security Best Practices

A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.

Jul 7, 20265 min read
Security Guides

JavaScript Dependency Vulnerability Scanning: Beyond npm audit

npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.

Jul 6, 20266 min read
Security Guides

semver (npm) Security Guide (2026)

semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.

Jul 6, 20266 min read
javascript — Safeguard Blog