Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Mobile app dependency vulnerability trends
Mobile apps now ship more third-party code than first-party. Safeguard's analysis breaks down where dependency vulnerabilities cluster and why.
Compromise of Legitimate Upstream Packages
From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.
Unmaintained Open Source Software: A Supply Chain Risk
Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.
Immature Open Source Projects as a Supply Chain Risk
xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.
Under/Oversized Dependency Risk in Modern Applications
Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.
faster_log and async_println: Rust's First Public Wallet-Stealing Crates
On September 24, 2025, crates.io removed faster_log and async_println — Rust typosquats that had quietly stolen Ethereum and Solana keys from 8,424 downloads since May.
How Snyk Container detects application-level dependencies...
A mechanical look at how Snyk Container scans image filesystems to detect npm, pip, Maven, and other application dependencies bundled inside containers.
How Snyk Container prioritizes OS package vulnerabilities...
A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.
How Snyk Container parses apk, deb, and rpm package datab...
How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.
How Snyk Open Source builds a full dependency tree from p...
How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.
How Snyk parses npm, yarn, and pnpm lockfiles differently...
How Snyk resolves exact package versions from npm, Yarn, and pnpm lockfiles — and why each format's structure demands its own parsing logic.
How Snyk resolves Maven and Gradle dependency graphs incl...
Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.