npm-vulnerabilities
Safeguard articles tagged "npm-vulnerabilities" — guides, analysis, and best practices for software supply chain and application security.
11 articles
NPM package vulnerabilities: risks and detection
NPM's open, high-velocity ecosystem makes it a top target for supply chain attacks. Here's how vulnerabilities slip past scanners like Trivy undetected.
JavaScript Security Explained
JavaScript security means managing three attack surfaces: runtime bugs, browser XSS, and npm supply chain compromise — the last of which caused 2025's biggest incidents.
Node.js Security Best Practices
Node.js supply chain attacks like event-stream, ua-parser-js, and Shai-Hulud show why dependency depth is the real risk -- here's what actually reduces it.
protobufjs prototype pollution (CVE-2022-25878)
CVE-2022-25878 is a critical prototype pollution flaw in protobufjs. Here's what's affected, the CVSS/EPSS context, and how to remediate it fast.
Most vulnerable npm packages of the year
Safeguard's 2026 mid-year analysis of the npm registry breaks down the packages driving the most risk and why the same names keep coming back.
Prototype Pollution in JavaScript Applications
Prototype pollution has hit lodash, jQuery, and minimist with real CVEs, from DoS to RCE. Here's how the bug works and how Safeguard catches it before it ships.
CVE-2022-21680: ReDoS in marked via block token regexes
CVE-2022-21680: how a ReDoS in marked's block-tokenizer regexes could let attackers freeze Markdown-rendering services, plus affected versions, fix, and mitigation steps.
CVE-2022-0235: node-fetch forwards sensitive headers on r...
CVE-2022-0235: node-fetch forwarded cookie and authorization headers across cross-origin redirects. Affected versions, exploitability context, and remediation steps.
CVE-2022-0155: follow-redirects leaks Proxy-Authorization...
CVE-2022-0155: follow-redirects leaked Proxy-Authorization headers across hosts on redirect, exposing proxy credentials via axios and other widely used npm HTTP clients.
CVE-2022-0536: follow-redirects leaks Authorization heade...
CVE-2022-0536 let follow-redirects forward Authorization headers to third-party hosts on cross-domain redirects, exposing tokens and credentials.
npm Vulnerabilities: Detection, Triage, and Fix Workflow
Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.