Safeguard
Tag

javascript-security

Safeguard articles tagged "javascript-security" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Application Security

DOM clobbering: the XSS attack that never runs a script tag

DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of the polyfill.io CDN Compromise

In June 2024, a single acquired domain turned a free CDN trusted by over 100,000 sites into a live malware injection point — with no dependency update required.

Jul 8, 20266 min read
Security Guides

Auditing Yarn Dependencies: A Guide to yarn audit and yarn npm audit

Yarn Classic and Yarn Berry audit dependencies differently. Learn the right commands for each, how to enforce overrides via resolutions, and where to go further.

Jul 7, 20265 min read
Software Supply Chain Security

Polyfill.io supply chain domain takeover

How a routine domain sale turned polyfill.io into malware served to 100,000+ sites, and how to catch supply chain takeovers before they ship.

Jul 2, 20267 min read
Security Guides

npm audit: The Complete Guide to Auditing Node.js Dependencies

How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.

Jul 1, 20266 min read
Application Security

AngularJS security fundamentals

AngularJS has been unpatched since January 2022, yet it still runs in production. Here's the CVE history, the sandbox saga, and how to find your exposure.

May 26, 20267 min read
Vulnerability Analysis

Lodash prototype pollution vulnerabilities explained

A breakdown of lodash's prototype pollution CVEs (CVE-2018-3721, CVE-2019-10744, CVE-2020-8203), their impact, and concrete remediation steps.

May 2, 20267 min read
Vulnerability Analysis

What is Prototype Pollution

Prototype pollution lets attackers corrupt Object.prototype via unsafe merges, turning a data bug in lodash, jQuery, or minimist into RCE.

Mar 24, 20266 min read
Industry Analysis

JavaScript Security Explained

JavaScript security means managing three attack surfaces: runtime bugs, browser XSS, and npm supply chain compromise — the last of which caused 2025's biggest incidents.

Feb 24, 20267 min read
Vulnerability Analysis

lodash defaultsDeep prototype pollution (CVE-2019-10744)

A critical prototype pollution flaw in lodash's defaultsDeep (CVE-2019-10744) lets attackers corrupt Object.prototype. Here's the impact and how to fix it.

Jan 12, 20268 min read
Vulnerability Analysis

lodash merge/mergeWith prototype pollution (CVE-2018-3721)

A deep dive into CVE-2018-3721, the lodash merge/mergeWith prototype pollution flaw: its real-world impact, affected versions, and how to remediate it fast.

Jan 6, 20269 min read
Vulnerability Analysis

underscore.js template code injection (CVE-2021-23358)

CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.

Jan 5, 20267 min read
javascript-security — Safeguard Blog