Safeguard
Tag

javascript

Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.

55 articles

Open Source Security

lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)

CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.

Dec 1, 20258 min read
Vulnerabilities

npm Security Vulnerabilities: How to Track Them

A practical system for tracking npm security vulnerabilities across a real dependency tree, why you shouldn't rely on npm check vulnerabilities output alone, and what to automate.

Apr 25, 20255 min read
AppSec

What Is vm2? The Node.js Sandbox and Its Security History

vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.

Apr 14, 20256 min read
Supply Chain Security

npm Supply Chain Attacks Q1 2025: Dependency Confusion, Typosquatting, and Maintainer Takeovers

The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.

Apr 1, 20256 min read
Supply Chain Security

Polyfill.io Supply Chain Attack: When a CDN Domain Changes Hands

A Chinese company acquired the polyfill.io domain and began injecting malicious code into websites that relied on the CDN, affecting over 100,000 sites. The attack exploited trust in third-party JavaScript.

Jun 25, 20246 min read
DevSecOps

Vite Build Tool Security Considerations

Vite has become the default build tool for a generation of JavaScript frameworks. Its plugin model, dev server, and dependency pre-bundling each carry distinct security implications worth understanding.

May 30, 20247 min read
Application Security

Prototype Pollution in JavaScript: Prevention Guide

Prototype pollution lets attackers modify the behavior of all JavaScript objects by injecting properties into Object.prototype. This guide covers exploitation techniques, real-world impact, and layered defenses.

Apr 5, 20246 min read
Secure Development

Node.js Permission Model: Restricting What Your Code Can Do

Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.

Mar 18, 20245 min read
Open Source Security

npm Registry Governance and the Security of node_modules

The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.

Jan 8, 20247 min read
Developer Security

Deno's Permission-Based Security Model: What It Gets Right and Where It Falls Short

Deno was built with security as a first-class concern, requiring explicit permissions for file, network, and environment access. Here is an honest assessment of what that model delivers in practice.

Nov 8, 20236 min read
Secure Development

Deno Security Model Advantages: Runtime Permissions Done Right

Deno requires explicit permission grants for file, network, and environment access. This capability-based model changes the supply chain risk equation.

Nov 5, 20235 min read
Application Security

React Native Security Considerations for Mobile Supply Chains

React Native introduces unique security challenges at the intersection of JavaScript and native mobile code. Understanding these risks is essential for securing cross-platform mobile applications.

Nov 5, 20237 min read
javascript (Page 4) — Safeguard Blog