Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Building an OSPO security governance model for license and vulnerability risk

77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.

Jul 15, 20266 min read
Open Source Security

Common Go module vulnerability patterns and how govulncheck helps

Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.

Jul 14, 20266 min read
Open Source Security

The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection

Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.

Jul 14, 20266 min read
Open Source Security

Top open-source vulnerabilities in the npm ecosystem

Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.

Jul 14, 20267 min read
Open Source Security

Recurring vulnerability patterns in the PyPI ecosystem

PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.

Jul 14, 20266 min read
Open Source Security

Contributing to open source securely: a guide for new maintainers and PR authors

It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.

Jul 12, 20267 min read
Open Source Security

Bundler dependency resolution and safe Gemfile upgrade strategies

In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.

Jul 11, 20266 min read
Open Source Security

Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI

Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.

Jul 10, 20266 min read
Open Source Security

The 4 dimensions of open-source dependency risk

Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.

Jul 9, 20267 min read
Open Source Security

How to publish a secure Python package: signing, SBOMs, and trusted publishing

PyPI enforced two-factor authentication for all users on January 1, 2024 — but 2FA alone doesn't stop a stolen API token. Here's the full secure-publishing stack.

Jul 8, 20267 min read
Open Source Security

What the curl CVE disclosures teach about patching embedded C libraries

curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.

Jul 8, 20267 min read
Open Source Security

Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs

Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.

Jul 8, 20267 min read
Open Source Security — Supply Chain Security Blog | Safeguard