javascript
Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.
55 articles
Is Lodash Safe? A 2026 Security Guide
Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.
Node.js Security Best Practices for 2026
A practical, runtime-aware checklist for hardening Node.js services in 2026 — from the built-in permission model and secure defaults to dependency risk, secrets, and reachability-based triage.
WebAssembly Security Explained (2026)
WebAssembly runs untrusted code in a memory-isolated sandbox, but sandboxed is not the same as safe. Here is how the Wasm security model actually works and where it breaks.
Reachability Analysis for JavaScript and TypeScript in 2026
JS reachability with npm's nested trees, dynamic require, ESM/CJS interop, and bundler dead code elimination. What modern tools resolve and what they punt.
Ledger Connect Kit December 2023: A CDN Attack Retrospective
The Ledger Connect Kit compromise was a five-hour CDN attack that drained roughly $600k from connected wallets. A look at how it happened and what defenders learned.
JSR JavaScript Registry Security Model
JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.
How to Detect Malicious npm Packages: A Workflow
A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.
npm Protestware Patterns From 2020 to 2026
A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons that still apply to modern JavaScript shops.
JSR/Deno Package Ecosystem Supply Chain
JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what it gets right and what it has not solved yet.
Event-Stream npm 2018: Package Trust Lessons That Still Apply
The event-stream npm incident remains the cleanest case study in maintainer-handoff risk. What it taught the ecosystem, and what we still ignore in 2026.
Compromised npm packages in the React and Next.js build p...
A react npm supply chain incident case study: how a phishing attack on a single maintainer compromised chalk, debug, and other build-pipeline dependencies.
Polyfill.io CDN Supply Chain Attack: 100K+ Sites
After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what the incident teaches us.