Safeguard
Tag

javascript

Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.

55 articles

Tutorials

How to Audit npm Dependencies for Vulnerabilities

Go beyond npm audit's noisy output — resolve your dependency tree, prioritize by reachability, and fix both direct and transitive vulnerabilities in a Node.js project the right way.

Jul 5, 20265 min read
Security Guides

minimist Security Guide (2026)

minimist is the tiny argument parser buried under a huge slice of the npm ecosystem — and two prototype-pollution CVEs made this 'harmless' 100-line library one of the most widely flagged transitive dependencies in JavaScript.

Jul 5, 20266 min read
Security Guides

Secrets Management in Node.js: From .env to Zero-Standing-Credentials

Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.

Jul 5, 20265 min read
Security Guides

Securing Express Applications: A Layered Playbook

Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.

Jul 4, 20265 min read
Security Guides

How to Prevent Prototype Pollution in JavaScript

Prototype pollution turns a single crafted JSON key into process-wide corruption — and it has escalated to RCE in real Node.js apps. Here is how the attack works and four layers of defense that stop it.

Jul 4, 20265 min read
Buyer's Guides

JavaScript & TypeScript Code Review Tools: An Honest 2026 Guide

A balanced 2026 comparison of JavaScript and TypeScript code review tools — ESLint, Biome, Semgrep, CodeQL, SonarQube, Snyk Code — with honest tradeoffs and where Safeguard fits.

Jul 3, 20266 min read
Security Guides

Preventing SSRF in Node.js Applications

Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.

Jul 3, 20266 min read
Security Guides

The npm Supply Chain Security Guide

How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.

Jul 2, 20265 min read
Security Guides

Bun Security Best Practices (2026)

Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.

Jul 2, 20265 min read
Security Guides

Deno Security Best Practices (2026)

Deno is secure by default, but its permission model only protects you if you use it deliberately. Here is how to run Deno with least privilege and keep its dependency graph clean.

Jul 2, 20265 min read
Security Guides

JavaScript Security: The Common Pitfalls That Keep Burning Teams

The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.

Jul 2, 20265 min read
Security Guides

How to Build a Secure npm Package (2026)

A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.

Jul 1, 20265 min read
javascript (Page 2) — Safeguard Blog