Safeguard
Tag

nodejs-security

Safeguard articles tagged "nodejs-security" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Container Security

How to Containerize a Node.js App Securely

The default Node.js Dockerfile runs as root, ships dev dependencies, and bakes secrets into layers. Here is a secure, multi-stage build you can copy, step by step.

Jul 1, 20266 min read
Application Security

How to prevent log injection vulnerabilities in Node.js

Log injection lets attackers forge log entries in Node.js apps via unsanitized input. Learn the sanitization, encoding, and structured-logging fixes that stop it.

May 29, 20266 min read
Application Security

Comparing Node.js frameworks for security: Express, Fastify, NestJS

Express, Fastify, and NestJS compared on real CVE history, default security posture, and dependency risk — plus how to close the gaps framework choice alone can't.

May 24, 20267 min read
Application Security

5 Node.js security code snippets every backend developer should know

Five real Node.js vulnerability patterns with vulnerable-vs-fixed code: prototype pollution, NoSQL injection, missing headers, path traversal, and JWT flaws.

May 24, 20268 min read
Application Security

Preventing broken access control in Express.js applications

Express.js ships with no built-in authorization layer, making broken access control easy to introduce and hard to catch with pattern-based scanners.

Apr 17, 20267 min read
Application Security

Security concerns of using the Node.js VM module as a sandbox

Node's vm module and vm2 were never a security boundary. Four critical CVEs and a 2023 deprecation prove why untrusted-code sandboxes need real isolation.

Apr 17, 20261 min read
Industry Analysis

Node.js Security Best Practices

Node.js supply chain attacks like event-stream, ua-parser-js, and Shai-Hulud show why dependency depth is the real risk -- here's what actually reduces it.

Feb 24, 20266 min read
Open Source Security

npm supply chain attacks via malicious postinstall scripts

How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.

Jan 25, 20267 min read
Regulatory Compliance

NestJS dependency injection and module configuration secu...

NestJS's dependency injection container silently governs data isolation and supply-chain trust. Here's how scope, module, and factory misconfigurations turn into real security failures.

Jan 24, 20267 min read
Industry Analysis

Prototype pollution vulnerabilities in Node.js and NestJS...

How prototype pollution reaches NestJS apps through lodash, qs, tough-cookie, and dotenv-expand — and how Safeguard catches it before it merges.

Jan 24, 20267 min read
Vulnerability Analysis

systeminformation npm package command injection (CVE-2021-21315)

A critical command injection flaw in the systeminformation npm package (CVE-2021-21315) let attackers run OS commands via unsanitized shell calls. Here's the full breakdown.

Jan 12, 20268 min read
Vulnerability Analysis

Express qs library prototype pollution DoS (CVE-2022-24999)

CVE-2022-24999 lets attackers pollute Object.prototype through qs, the query-string parser Express relies on, crashing Node.js applications.

Jan 6, 20267 min read
nodejs-security — Safeguard Blog