Safeguard
Tag

npm-supply-chain

Safeguard articles tagged "npm-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

13 articles

Application Security

React security best practices: stopping XSS, dangerouslySetInnerHTML, and dependency risk

React auto-escapes JSX text by default, but dangerouslySetInnerHTML, href injection, and a 500-package npm worm show where that protection stops.

Jul 11, 20266 min read
Vulnerability Analysis

lodash merge/mergeWith prototype pollution (CVE-2018-3721)

A deep dive into CVE-2018-3721, the lodash merge/mergeWith prototype pollution flaw: its real-world impact, affected versions, and how to remediate it fast.

Jan 6, 20269 min read
Vulnerability Analysis

underscore.js template code injection (CVE-2021-23358)

CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.

Jan 5, 20267 min read
Vulnerability Analysis

ws WebSocket library header DoS (CVE-2021-32640)

CVE-2021-32640 lets attackers stall Node.js WebSocket servers via a crafted header in the widely-used ws npm package. Here's the fix.

Jan 5, 20267 min read
Vulnerability Analysis

path-parse regular expression denial of service (CVE-2021-23343)

A ReDoS flaw in path-parse (CVE-2021-23343) lurks deep in webpack and resolve dependency trees. Here's the impact, timeline, and how to fix it.

Jan 3, 20267 min read
Vulnerability Analysis

minimatch regular expression denial of service (CVE-2022-3517)

A ReDoS flaw in minimatch (CVE-2022-3517) lets a single crafted string hang Node.js processes. Here's what's affected, the risk context, and how to fix it.

Jan 3, 20267 min read
Vulnerability Analysis

cross-spawn ReDoS vulnerability (CVE-2024-21538)

CVE-2024-21538 is a ReDoS flaw in the widely-used cross-spawn npm package. Learn the impact, CVSS/EPSS context, and how to remediate it.

Jan 1, 20267 min read
Incident Analysis

UAParser.js npm package compromise

A deep dive into the 2021 ua-parser-js npm compromise: how a hijacked maintainer account delivered cryptominers and credential stealers to millions.

Nov 8, 20257 min read
Incident Analysis

chalk and debug npm package compromise incident

A phished maintainer account led to a malicious npm publish of chalk, debug, and 16 related packages, exposing a crypto-clipper to billions of weekly downloads.

Nov 5, 20257 min read
Vulnerability Analysis

CVE-2020-7729: Command injection in node-notifier

CVE-2020-7729 lets attacker-influenced input reach node-notifier's OS notifier calls, enabling command injection. Here's the impact, timeline, and fix.

Oct 14, 20257 min read
Vulnerability Analysis

CVE-2021-23343: ReDoS in path-parse

CVE-2021-23343 is a ReDoS vulnerability in path-parse before 1.0.7 that lets crafted path strings stall Node.js apps. Here's how it works and how to fix it.

Oct 14, 20257 min read
Vulnerability Analysis

CVE-2023-26159: SSRF/credential exposure in follow-redire...

CVE-2023-26159 shows how flawed URL parsing in follow-redirects let attackers trigger SSRF and leak Authorization headers across unintended hosts.

Oct 12, 20257 min read
npm-supply-chain — Safeguard Blog