javascript
Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.
54 articles
ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS
A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.
Writing your first Jest unit tests for security-critical JavaScript
Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.
Mocking APIs for secure testing: MSW and json-server for error and auth flows
MSW intercepts requests at the network layer; json-server spins up a fake REST API in one command. Neither should ever touch a real backend or real credentials.
The security implications of Node.js worker_threads
Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.
node-fetch Security Guide (2026)
node-fetch brought the browser fetch API to Node.js and became a near-universal HTTP client — and its two real CVEs, a redirect-based header leak and a size-limit bypass, are exactly the kind of subtle bug that ships to millions of apps.
ReDoS: Regular Expression Denial of Service in JavaScript
A single bad regex can freeze your entire Node.js event loop on one malicious request. Here is how catastrophic backtracking works, how to spot vulnerable patterns, and how to fix them without rewriting everything.
Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation
crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.
Wiring dependency and SAST scanning into your JavaScript CLI workflow
npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.
Axios Security Guide (2026)
Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.
Node.js Docker Security Best Practices
A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.
JavaScript Dependency Vulnerability Scanning: Beyond npm audit
npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.
semver (npm) Security Guide (2026)
semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.