Knowledge about Web

The 2024 Polyfill.io incident showed how a single CDN-hosted script can infect over 100,000 sites at once. This article covers how Subresource Integrity (SRI) works, how to apply it, and how to handle dynamic CSS like Google Fonts where SRI cannot be used directly.

How to use GitHub's dependency-review-action to prevent PRs from introducing packages with known CVEs, license violations, or risky maintainer changes — with real incident examples.

Two threats that supply chain cooldown alone cannot stop — newly discovered CVEs in already-installed dependencies, and vulnerabilities in your own code — and how to address them with yarn npm audit and GitHub CodeQL, illustrated with real incident examples.

If your team cannot immediately answer "are we affected?" when a new vulnerability is disclosed, your dependency visibility is insufficient. Using Log4Shell as a case study, this article explains why SBOM (Software Bill of Materials) matters and how to automate it with GitHub Dependency Submission.

Covers lockfile tampering — a gap in supply chain defenses — and explains how Yarn 4's Hardened Mode closes it by verifying resolutions and integrity hashes on every install. Includes how to enable it with a single line of configuration.

A data-driven evaluation of how effective time-based supply chain defenses — Dependabot cooldown and package manager minimum release age — actually are, using historical incident data.

Three concrete strategies for defending against npm supply chain attacks. Covers GitHub Actions SHA pinning, Dependabot cooldown, and Yarn 4's npmMinimalAgeGate — step by step, with code.

An analysis of the axios supply chain attack that hit the npm ecosystem in March 2026. Covers the full attack chain — maintainer account hijack, malicious dependency injection, and RAT deployment via a postinstall script — along with the structural weaknesses in npm's trust model.

word-break: break-word is a deprecated legacy value in the CSS spec. Its alternative, overflow-wrap: break-word, also has a pitfall where it fails on intrinsic sizing elements. Learn the recommended CSS combination (overflow-wrap: anywhere + word-break: normal + line-break: strict) and how to automate enforcement with a Stylelint custom plugin.

Sharing the experience of reducing bundle size from 547KB to 97KB (approximately 82%) by changing the lodash import method in a monorepo environment. Covers the entire process from setting up bundle analysis to preventing recurrence with ESLint rules.

Sharing the methods applied to improve Lighthouse performance scores on an Astro blog, including image optimization, CSS optimization, web font optimization, and accessibility improvements.

Let's learn how to solve Lighthouse's Serve images in next-gen formats issue by generating images in avif and webp formats using Python.