Open Source
In-depth guides and analysis on open source from the Safeguard engineering team.
9 articles
npm package signature verification: the 2026 rollout state
Every package on npm is signed by the registry, but the actual posture of install-time signature verification across real-world tooling is patchier than the headline suggests. This is where npm audit signatures and downstream verifiers stand in 2026.
A practical framework for assessing single-maintainer project risk
Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.
Maintainer burnout is a supply-chain risk: lessons from xz-utils
The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.
The bootloader supply chain: what an OS vendor controls versus inherits
Between firmware and the kernel sits a thin layer of code that almost no one audits and almost everyone trusts. Understanding the supply chain behind shim, GRUB, and u-boot is the difference between owning your boot path and renting it.
Open Source Risk Management: Beyond Vulnerability Scanning
Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.
Open Source Maintainer Succession Planning: A Supply Chain Imperative
When a solo maintainer disappears, entire dependency chains are at risk. How organizations should approach succession planning for critical open source projects.
Software Heritage and the Case for Source Code Preservation
Software Heritage archives the world's source code. Here is why that matters for supply chain security, reproducibility, and long-term software integrity.
Open Source Funding, Sustainability, and Security
The software industry runs on open source maintained by unpaid volunteers. Until we fix the funding problem, we can't fix the security problem.
The Open Source Maintainer Burnout Crisis and Its Security Consequences
Burned-out maintainers abandon projects, accept risky PRs without review, and hand off keys to strangers. The burnout crisis is a supply chain security crisis.