javascript
Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.
55 articles
How to Audit npm Dependencies for Vulnerabilities
Go beyond npm audit's noisy output — resolve your dependency tree, prioritize by reachability, and fix both direct and transitive vulnerabilities in a Node.js project the right way.
minimist Security Guide (2026)
minimist is the tiny argument parser buried under a huge slice of the npm ecosystem — and two prototype-pollution CVEs made this 'harmless' 100-line library one of the most widely flagged transitive dependencies in JavaScript.
Secrets Management in Node.js: From .env to Zero-Standing-Credentials
Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.
Securing Express Applications: A Layered Playbook
Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.
How to Prevent Prototype Pollution in JavaScript
Prototype pollution turns a single crafted JSON key into process-wide corruption — and it has escalated to RCE in real Node.js apps. Here is how the attack works and four layers of defense that stop it.
JavaScript & TypeScript Code Review Tools: An Honest 2026 Guide
A balanced 2026 comparison of JavaScript and TypeScript code review tools — ESLint, Biome, Semgrep, CodeQL, SonarQube, Snyk Code — with honest tradeoffs and where Safeguard fits.
Preventing SSRF in Node.js Applications
Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.
The npm Supply Chain Security Guide
How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.
Bun Security Best Practices (2026)
Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.
Deno Security Best Practices (2026)
Deno is secure by default, but its permission model only protects you if you use it deliberately. Here is how to run Deno with least privilege and keep its dependency graph clean.
JavaScript Security: The Common Pitfalls That Keep Burning Teams
The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.
How to Build a Secure npm Package (2026)
A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.