Safeguard
Tag

nodejs

Safeguard articles tagged "nodejs" — guides, analysis, and best practices for software supply chain and application security.

50 articles

Container Security

Distroless Node.js 20 on Debian 12 Image Deep Dive

A deep dive into the gcr.io/distroless/nodejs20-debian12 image: contents, attack surface, real-world CVE exposure, and where it fits in production.

Feb 19, 20265 min read
Open Source Security

The coa and rc npm Maintainer Account Hijack Incident

How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.

Dec 1, 20256 min read
Open Source Security

Node.js runtime CVE roundup

A roundup of Node.js runtime CVEs since 2024 — command injection, HTTP smuggling, permission bypasses, and why runtime flaws evade typical dependency scanners.

Nov 28, 20257 min read
Industry Analysis

SQL Injection Prevention in Node.js/JavaScript

SQL injection still hits Node.js apps through raw drivers, Sequelize, Prisma, and Knex alike. Here's how it happens, what safe queries look like, and how to catch it in CI.

Oct 27, 20259 min read
Industry Analysis

Secure Random Number Generation in JavaScript with crypto...

Math.random() is predictable and unsafe for security tokens. Here's why Node's crypto.randomBytes() is the standard for secure JavaScript randomness.

Oct 20, 20257 min read
Vulnerability Analysis

CVE-2017-16137: ReDoS in debug package

CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.

Oct 16, 20258 min read
Vulnerability Analysis

CVE-2022-25883: ReDoS in semver package

CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2023-30547: Sandbox escape via Node custom inspect in...

CVE-2023-30547 lets attackers escape the vm2 Node.js sandbox via a crafted custom inspect method, achieving host code execution. Here's the impact, timeline, and fix.

Oct 10, 20258 min read
Guides

How to Verify an npm Package Before Installing It

Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.

Jul 9, 20256 min read
Dev Practices

Node.js Backend Security Checklist

A working checklist for securing a Node.js backend: dependency hygiene, input validation, secrets, HTTP headers, and the CI gates that keep regressions out.

Mar 18, 20256 min read
Containers

Node.js in Docker: Choosing and Securing Your Base Image

The Docker Node base image you pick decides your CVE count before you write a line of code. Here is how to choose between Debian, slim, and Alpine — and harden whichever you pick.

Mar 12, 20257 min read
Vulnerabilities

CVE-2022-24785: The Moment.js Path Traversal, Explained

A user-controlled locale string was all it took: how CVE-2022-24785 let attackers traverse paths through Moment.js locale loading on Node.js, and why the fix is a one-line upgrade.

May 21, 20245 min read
nodejs (Page 4) — Safeguard Blog