Safeguard
Tag

javascript

Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.

55 articles

Security Guides

Is Lodash Safe? A 2026 Security Guide

Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.

Jul 1, 20266 min read
Security Guides

Node.js Security Best Practices for 2026

A practical, runtime-aware checklist for hardening Node.js services in 2026 — from the built-in permission model and secure defaults to dependency risk, secrets, and reachability-based triage.

Jul 1, 20266 min read
Security Guides

WebAssembly Security Explained (2026)

WebAssembly runs untrusted code in a memory-isolated sandbox, but sandboxed is not the same as safe. Here is how the Wasm security model actually works and where it breaks.

Jul 1, 20266 min read
Application Security

Reachability Analysis for JavaScript and TypeScript in 2026

JS reachability with npm's nested trees, dynamic require, ESM/CJS interop, and bundler dead code elimination. What modern tools resolve and what they punt.

Apr 8, 20265 min read
Supply Chain Attacks

Ledger Connect Kit December 2023: A CDN Attack Retrospective

The Ledger Connect Kit compromise was a five-hour CDN attack that drained roughly $600k from connected wallets. A look at how it happened and what defenders learned.

Mar 12, 20265 min read
Open Source Security

JSR JavaScript Registry Security Model

JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.

Mar 8, 20265 min read
Best Practices

How to Detect Malicious npm Packages: A Workflow

A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.

Mar 6, 20267 min read
Supply Chain Attacks

npm Protestware Patterns From 2020 to 2026

A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons that still apply to modern JavaScript shops.

Mar 3, 20267 min read
Open Source Security

JSR/Deno Package Ecosystem Supply Chain

JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what it gets right and what it has not solved yet.

Feb 28, 20267 min read
Software Supply Chain Security

Event-Stream npm 2018: Package Trust Lessons That Still Apply

The event-stream npm incident remains the cleanest case study in maintainer-handoff risk. What it taught the ecosystem, and what we still ignore in 2026.

Feb 4, 20265 min read
DevSecOps

Compromised npm packages in the React and Next.js build p...

A react npm supply chain incident case study: how a phishing attack on a single maintainer compromised chalk, debug, and other build-pipeline dependencies.

Jan 23, 20268 min read
Incident Analysis

Polyfill.io CDN Supply Chain Attack: 100K+ Sites

After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what the incident teaches us.

Jan 23, 20266 min read
javascript (Page 3) — Safeguard Blog