Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Open Source Security

The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk

In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.

Jul 8, 20266 min read
Open Source Security

Inside OpenSSF's priority stack: SBOM, Scorecard, and Sigstore

OpenSSF now runs eight technical initiative areas and four flagship projects — most teams have heard of one and adopted none. Here's what's actually worth doing first.

Jul 8, 20267 min read
Open Source Security

The security risk of LLMs reviving abandoned open-source packages

USENIX Security 2025 found 19.7% of LLM code samples hallucinate a package name — and real, dormant packages carry the same blind trust.

Jul 8, 20267 min read
Open Source Security

Managing Open Source Component Risk at Scale

A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.

Jul 7, 20268 min read
Open Source Security

Native-extension vulnerabilities in Python packages

numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.

Jul 7, 20266 min read
Open Source Security

Protestware via prompt injection: when maintainers target AI agents

jqwik 1.10.0 shipped a hidden instruction telling AI coding agents to delete their own tests, then erased it from the terminal with ANSI codes — protestware built for agents, not humans.

Jul 7, 20267 min read
Open Source Security

Should open source maintainers get free enterprise security tooling?

80-90% of the average codebase is open source, built largely by unpaid maintainers — Snyk's year-old maintainer program now covers 60+ projects for free.

Jul 7, 20266 min read
Open Source Security

Software Composition Analysis (SCA) Explained

SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.

Jul 4, 20267 min read
Open Source Security

Dependabot security updates and automated dependency pull...

Dependabot opens patch PRs from known CVEs, but backlogs pile up and malicious packages slip through. Here's what it misses versus GitHub Advanced Security.

Jun 30, 20267 min read
Open Source Security

Dependabot malware detection in open source packages

Dependabot catches known vulnerabilities, not injected malware. Here's how GitHub Advanced Security handles malicious packages — and where the gaps remain.

Jun 29, 20267 min read
Open Source Security

Auto-triage rules for Dependabot pull requests at scale

Dependabot floods teams with PRs, but not every alert deserves equal attention. Here's how auto-triage rules cut noise at scale, and where GHAS falls short.

Jun 29, 20268 min read
Open Source Security (Page 2) — Supply Chain Security Blog | Safeguard