To address security risks of dependency misuse and unauthorized system resource access in the Node.js software supply chain, this paper proposes NodeShield—a lightweight, non-intrusive runtime protection mechanism. NodeShield introduces the Capability Bill of Materials (CBOM), the first capability-oriented extension of SBOM, enabling component-level capability declarations and fine-grained policy specification. It leverages static analysis to generate capability inventories and enforces dependency-layer constraints and system resource access control at runtime via code outlining—without modifying application code or the Node.js runtime, ensuring full compatibility with the standard ecosystem. Evaluation demonstrates that NodeShield mitigates over 98% of 67 known supply-chain attacks, incurs sub-millisecond average request overhead (<1 ms), and requires at most seven policy entries per dependency—achieving a robust balance among security assurance, automation, and minimal performance impact.

The software supply chain is an increasingly common attack vector for malicious actors. The Node.js ecosystem has been subject to a wide array of attacks, likely due to its size and prevalence. To counter such attacks, the research community and practitioners have proposed a range of static and dynamic mechanisms, including process- and language-level sandboxing, permission systems, and taint tracking. Drawing on valuable insight from these works, this paper studies a runtime protection mechanism for (the supply chain of) Node.js applications with the ambitious goals of compatibility, automation, minimal overhead, and policy conciseness. Specifically, we design, implement and evaluate NodeShield, a protection mechanism for Node.js that enforces an application's dependency hierarchy and controls access to system resources at runtime. We leverage the up-and-coming SBOM standard as the source of truth for the dependency hierarchy of the application, thus preventing components from stealthily abusing undeclared components. We propose to enhance the SBOM with a notion of capabilities that represents a set of related system resources a component may access. Our proposed SBOM extension, the Capability Bill of Materials or CBOM, records the required capabilities of each component, providing valuable insight into the potential privileged behavior. NodeShield enforces the SBOM and CBOM at runtime via code outlining (as opposed to inlining) with no modifications to the original code or Node.js runtime, thus preventing unexpected, potentially malicious behavior. Our evaluation shows that NodeShield can prevent over 98% out of 67 known supply chain attacks while incurring minimal overhead on servers at less than 1ms per request. We achieve this while maintaining broad compatibility with vanilla Node.js and a concise policy language that consists of at most 7 entries per dependency.