JavaScript Security

  1. Third-Party Code and Supply Chain Security
    1. Risks of Third-Party Libraries
      1. Malicious Packages in Registries
        1. NPM Registry Threats
          1. Typosquatting Attacks
            1. Package Takeover
            2. Vulnerabilities in Legitimate Libraries
              1. Outdated Dependencies
                1. Unpatched Security Flaws
                  1. Transitive Dependencies
                  2. Dependency Confusion
                    1. Namespace Collisions
                      1. Private vs. Public Packages
                        1. Internal Package Hijacking
                      2. Mitigation Strategies
                        1. Vetting Dependencies
                          1. Reviewing Source and Reputation
                            1. Minimal Dependency Principle
                              1. License Compliance
                              2. Using Lockfiles
                                1. package-lock.json
                                  1. yarn.lock
                                    1. Ensuring Deterministic Installs
                                    2. Regular Vulnerability Scanning
                                      1. npm audit
                                        1. yarn audit
                                          1. Automated Security Alerts
                                            1. Continuous Monitoring
                                            2. Implementing Subresource Integrity (SRI) for CDN-hosted scripts
                                              1. Ensuring Script Authenticity
                                                1. Hash Verification
                                                2. Package Signing and Verification
                                                  1. Digital Signatures
                                                    1. Trust Chains
                                                    2. Private Package Registries
                                                      1. Internal Hosting
                                                        1. Access Control
                                                      2. Software Composition Analysis
                                                        1. Dependency Mapping
                                                          1. License Analysis
                                                            1. Vulnerability Tracking

                                                          Previous

                                                          5. Server-Side Defenses for Client-Side Security

                                                          Go to top

                                                          Next

                                                          7. Security in Modern JavaScript Frameworks