javascript-security
Safeguard articles tagged "javascript-security" — guides, analysis, and best practices for software supply chain and application security.
34 articles
DOM clobbering: the XSS attack that never runs a script tag
DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.
Anatomy of the polyfill.io CDN Compromise
In June 2024, a single acquired domain turned a free CDN trusted by over 100,000 sites into a live malware injection point — with no dependency update required.
Auditing Yarn Dependencies: A Guide to yarn audit and yarn npm audit
Yarn Classic and Yarn Berry audit dependencies differently. Learn the right commands for each, how to enforce overrides via resolutions, and where to go further.
Polyfill.io supply chain domain takeover
How a routine domain sale turned polyfill.io into malware served to 100,000+ sites, and how to catch supply chain takeovers before they ship.
npm audit: The Complete Guide to Auditing Node.js Dependencies
How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.
AngularJS security fundamentals
AngularJS has been unpatched since January 2022, yet it still runs in production. Here's the CVE history, the sandbox saga, and how to find your exposure.
Lodash prototype pollution vulnerabilities explained
A breakdown of lodash's prototype pollution CVEs (CVE-2018-3721, CVE-2019-10744, CVE-2020-8203), their impact, and concrete remediation steps.
What is Prototype Pollution
Prototype pollution lets attackers corrupt Object.prototype via unsafe merges, turning a data bug in lodash, jQuery, or minimist into RCE.
JavaScript Security Explained
JavaScript security means managing three attack surfaces: runtime bugs, browser XSS, and npm supply chain compromise — the last of which caused 2025's biggest incidents.
lodash defaultsDeep prototype pollution (CVE-2019-10744)
A critical prototype pollution flaw in lodash's defaultsDeep (CVE-2019-10744) lets attackers corrupt Object.prototype. Here's the impact and how to fix it.
lodash merge/mergeWith prototype pollution (CVE-2018-3721)
A deep dive into CVE-2018-3721, the lodash merge/mergeWith prototype pollution flaw: its real-world impact, affected versions, and how to remediate it fast.
underscore.js template code injection (CVE-2021-23358)
CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.