node-js
Safeguard articles tagged "node-js" — guides, analysis, and best practices for software supply chain and application security.
20 articles
npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain
npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.
Node.js Permission Model: Restricting What Your Code Can Do
Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.
npm Registry Governance and the Security of node_modules
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Express.js Security Middleware: An Audit
Express remains the default Node.js framework at most shops, and its middleware ecosystem is a thirteen-year accumulation of packages, some abandoned, some indispensable. This is a pragmatic audit of what belongs in a 2023 Express stack.
Electron ContextBridge Security: Building Safe Desktop Apps
Electron's ContextBridge is the secure boundary between web content and Node.js APIs. This guide covers how to use it correctly, common mistakes that create RCE vulnerabilities, and security best practices for Electron applications.
npm Manifest Confusion: The Hidden Vulnerability in Every Node.js Project
A fundamental flaw in npm's package handling allowed published package metadata to differ from actual package contents, undermining trust in the entire ecosystem.
npm Lockfile Injection Attacks: How Tampered package-lock.json Files Compromise Builds
Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.
Electron App Supply Chain Security: Desktop Apps Built on Web Dependencies
Electron apps ship a full Chromium browser and Node.js runtime to the desktop. That means every web supply chain risk becomes a desktop attack surface — with elevated privileges.