Well, it is not so much a "changing the contents of a cached JS file"-issue, as any code that runs on a client machine can be altered for malicious use. That, and most browsers nowadays have a convenient console allowing you to create and run JavaScript functions on the fly making this nicely easy!
The solution is in securing your code on the servier-side, i.e. in the example you mention in the method that takes the POST data and publishes it as a new article.
You can overcome this in numerous manners, one would be validating the users session by passing a token along with the article data. Server side, you create and pair a unique token for a unique user session and store it there. The token thus isn't the session identifier, but an identifier that should be interpreted as "the pass allowing user x to submit an article under conditions y". So for instance the HTML page could be creating a hidden form field containing this unique string which is only valid for a single request, and for a specific user session. So when the user submits the form, the server not only validates the contents of the form (as this too could be tampered with on the client side), but also reads the token value and tries to find a stored match for it for the users session AND validates whether it is valid for the action the user is trying to execute. After passing these validations, the stored token can be removed as it is now invalid. You could add additional checks to see whether to token was used in a given time slot should you want to, whether the IP still matches, or preferably whether the user hasn't logged out of that session in the meantime, etc (IF you use registered users in your application, this has the benefit that you can only allow registered users to submit data, but this has the down side that it requires all visitors to register before they can interact with the site.).
So if a funny guy tries to re-submit the same form but with nonsensical (or malicious!) data, the server side code would deny the request as the token was used / or the users session doesn't match the stored token and thus is invalid (additionally, you could also use server side validation to look for naughty words in the body text, non-valid e-mail addresses, etc, but that has more to do with sanitizing the content of your website, rather than strict security).