Safeguard
Tag

node-js

Safeguard articles tagged "node-js" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Supply Chain Security

npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain

npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.

Mar 20, 20247 min read
Secure Development

Node.js Permission Model: Restricting What Your Code Can Do

Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.

Mar 18, 20245 min read
Open Source Security

npm Registry Governance and the Security of node_modules

The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.

Jan 8, 20247 min read
Best Practices

Express.js Security Middleware: An Audit

Express remains the default Node.js framework at most shops, and its middleware ecosystem is a thirteen-year accumulation of packages, some abandoned, some indispensable. This is a pragmatic audit of what belongs in a 2023 Express stack.

Nov 15, 20236 min read
Application Security

Electron ContextBridge Security: Building Safe Desktop Apps

Electron's ContextBridge is the secure boundary between web content and Node.js APIs. This guide covers how to use it correctly, common mistakes that create RCE vulnerabilities, and security best practices for Electron applications.

Jul 5, 20236 min read
Supply Chain Attacks

npm Manifest Confusion: The Hidden Vulnerability in Every Node.js Project

A fundamental flaw in npm's package handling allowed published package metadata to differ from actual package contents, undermining trust in the entire ecosystem.

Apr 15, 20236 min read
Software Supply Chain Security

npm Lockfile Injection Attacks: How Tampered package-lock.json Files Compromise Builds

Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.

Jul 5, 20225 min read
Application Security

Electron App Supply Chain Security: Desktop Apps Built on Web Dependencies

Electron apps ship a full Chromium browser and Node.js runtime to the desktop. That means every web supply chain risk becomes a desktop attack surface — with elevated privileges.

Jun 12, 20225 min read
node-js (Page 2) — Safeguard Blog