Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Mobile app dependency vulnerability trends

Mobile apps now ship more third-party code than first-party. Safeguard's analysis breaks down where dependency vulnerabilities cluster and why.

Nov 9, 20257 min read
Open Source Security

Compromise of Legitimate Upstream Packages

From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.

Nov 4, 20257 min read
Open Source Security

Unmaintained Open Source Software: A Supply Chain Risk

Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.

Nov 3, 20257 min read
Open Source Security

Immature Open Source Projects as a Supply Chain Risk

xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.

Nov 3, 20257 min read
Open Source Security

Under/Oversized Dependency Risk in Modern Applications

Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.

Nov 2, 20257 min read
Open Source Security

faster_log and async_println: Rust's First Public Wallet-Stealing Crates

On September 24, 2025, crates.io removed faster_log and async_println — Rust typosquats that had quietly stolen Ethereum and Solana keys from 8,424 downloads since May.

Sep 30, 20255 min read
Open Source Security

How Snyk Container detects application-level dependencies...

A mechanical look at how Snyk Container scans image filesystems to detect npm, pip, Maven, and other application dependencies bundled inside containers.

Sep 6, 20257 min read
Open Source Security

How Snyk Container prioritizes OS package vulnerabilities...

A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.

Sep 5, 20258 min read
Open Source Security

How Snyk Container parses apk, deb, and rpm package datab...

How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.

Sep 4, 20257 min read
Open Source Security

How Snyk Open Source builds a full dependency tree from p...

How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.

Aug 30, 20258 min read
Open Source Security

How Snyk parses npm, yarn, and pnpm lockfiles differently...

How Snyk resolves exact package versions from npm, Yarn, and pnpm lockfiles — and why each format's structure demands its own parsing logic.

Aug 30, 20257 min read
Open Source Security

How Snyk resolves Maven and Gradle dependency graphs incl...

Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.

Aug 30, 20257 min read
Open Source Security (Page 18) — Supply Chain Security Blog | Safeguard