nodejs-security
Safeguard articles tagged "nodejs-security" — guides, analysis, and best practices for software supply chain and application security.
34 articles
How to Containerize a Node.js App Securely
The default Node.js Dockerfile runs as root, ships dev dependencies, and bakes secrets into layers. Here is a secure, multi-stage build you can copy, step by step.
How to prevent log injection vulnerabilities in Node.js
Log injection lets attackers forge log entries in Node.js apps via unsanitized input. Learn the sanitization, encoding, and structured-logging fixes that stop it.
Comparing Node.js frameworks for security: Express, Fastify, NestJS
Express, Fastify, and NestJS compared on real CVE history, default security posture, and dependency risk — plus how to close the gaps framework choice alone can't.
5 Node.js security code snippets every backend developer should know
Five real Node.js vulnerability patterns with vulnerable-vs-fixed code: prototype pollution, NoSQL injection, missing headers, path traversal, and JWT flaws.
Preventing broken access control in Express.js applications
Express.js ships with no built-in authorization layer, making broken access control easy to introduce and hard to catch with pattern-based scanners.
Security concerns of using the Node.js VM module as a sandbox
Node's vm module and vm2 were never a security boundary. Four critical CVEs and a 2023 deprecation prove why untrusted-code sandboxes need real isolation.
Node.js Security Best Practices
Node.js supply chain attacks like event-stream, ua-parser-js, and Shai-Hulud show why dependency depth is the real risk -- here's what actually reduces it.
npm supply chain attacks via malicious postinstall scripts
How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.
NestJS dependency injection and module configuration secu...
NestJS's dependency injection container silently governs data isolation and supply-chain trust. Here's how scope, module, and factory misconfigurations turn into real security failures.
Prototype pollution vulnerabilities in Node.js and NestJS...
How prototype pollution reaches NestJS apps through lodash, qs, tough-cookie, and dotenv-expand — and how Safeguard catches it before it merges.
systeminformation npm package command injection (CVE-2021-21315)
A critical command injection flaw in the systeminformation npm package (CVE-2021-21315) let attackers run OS commands via unsanitized shell calls. Here's the full breakdown.
Express qs library prototype pollution DoS (CVE-2022-24999)
CVE-2022-24999 lets attackers pollute Object.prototype through qs, the query-string parser Express relies on, crashing Node.js applications.