javascript
Safeguard articles tagged "javascript" — guides, analysis, and best practices for software supply chain and application security.
55 articles
lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)
CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.
npm Security Vulnerabilities: How to Track Them
A practical system for tracking npm security vulnerabilities across a real dependency tree, why you shouldn't rely on npm check vulnerabilities output alone, and what to automate.
What Is vm2? The Node.js Sandbox and Its Security History
vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.
npm Supply Chain Attacks Q1 2025: Dependency Confusion, Typosquatting, and Maintainer Takeovers
The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.
Polyfill.io Supply Chain Attack: When a CDN Domain Changes Hands
A Chinese company acquired the polyfill.io domain and began injecting malicious code into websites that relied on the CDN, affecting over 100,000 sites. The attack exploited trust in third-party JavaScript.
Vite Build Tool Security Considerations
Vite has become the default build tool for a generation of JavaScript frameworks. Its plugin model, dev server, and dependency pre-bundling each carry distinct security implications worth understanding.
Prototype Pollution in JavaScript: Prevention Guide
Prototype pollution lets attackers modify the behavior of all JavaScript objects by injecting properties into Object.prototype. This guide covers exploitation techniques, real-world impact, and layered defenses.
Node.js Permission Model: Restricting What Your Code Can Do
Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.
npm Registry Governance and the Security of node_modules
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Deno's Permission-Based Security Model: What It Gets Right and Where It Falls Short
Deno was built with security as a first-class concern, requiring explicit permissions for file, network, and environment access. Here is an honest assessment of what that model delivers in practice.
Deno Security Model Advantages: Runtime Permissions Done Right
Deno requires explicit permission grants for file, network, and environment access. This capability-based model changes the supply chain risk equation.
React Native Security Considerations for Mobile Supply Chains
React Native introduces unique security challenges at the intersection of JavaScript and native mobile code. Understanding these risks is essential for securing cross-platform mobile applications.