Safeguard
Topic

Open Source

In-depth guides and analysis on open source from the Safeguard engineering team.

9 articles

Open Source

npm package signature verification: the 2026 rollout state

Every package on npm is signed by the registry, but the actual posture of install-time signature verification across real-world tooling is patchier than the headline suggests. This is where npm audit signatures and downstream verifiers stand in 2026.

May 14, 202610 min read
Open Source

A practical framework for assessing single-maintainer project risk

Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.

May 14, 20268 min read
Open Source

Maintainer burnout is a supply-chain risk: lessons from xz-utils

The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.

May 13, 20267 min read
Open Source

The bootloader supply chain: what an OS vendor controls versus inherits

Between firmware and the kernel sits a thin layer of code that almost no one audits and almost everyone trusts. Understanding the supply chain behind shim, GRUB, and u-boot is the difference between owning your boot path and renting it.

May 13, 20267 min read
Open Source

Open Source Risk Management: Beyond Vulnerability Scanning

Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.

Jan 5, 20263 min read
Open Source

Open Source Maintainer Succession Planning: A Supply Chain Imperative

When a solo maintainer disappears, entire dependency chains are at risk. How organizations should approach succession planning for critical open source projects.

Aug 10, 20256 min read
Open Source

Software Heritage and the Case for Source Code Preservation

Software Heritage archives the world's source code. Here is why that matters for supply chain security, reproducibility, and long-term software integrity.

Apr 8, 20237 min read
Open Source

Open Source Funding, Sustainability, and Security

The software industry runs on open source maintained by unpaid volunteers. Until we fix the funding problem, we can't fix the security problem.

Dec 15, 20229 min read
Open Source

The Open Source Maintainer Burnout Crisis and Its Security Consequences

Burned-out maintainers abandon projects, accept risky PRs without review, and hand off keys to strangers. The burnout crisis is a supply chain security crisis.

Nov 20, 20226 min read
Open Source — Supply Chain Security Blog | Safeguard