Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Go Module Hijacking Detection

Module hijacking in Go is rare compared to npm, but it does happen, and the patterns worth watching are different from what you might expect from other ecosystems.

Jun 18, 20247 min read
Open Source Security

Bundler Lockfile Security Practices

How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in Bundler 2.5's expanded lockfile format.

Jun 14, 20248 min read
Open Source Security

npm Workspaces Security Considerations

Workspaces are fantastic for developer experience and hostile to naive security tooling. Here is what actually changes when you flip them on.

Jun 12, 20246 min read
Open Source Security

Maven Central Changes in 2024 and Their Security Impact

Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what changed, who was affected, and what Java teams should do.

May 28, 20246 min read
Open Source Security

Go Workspaces Supply Chain Risks

Go workspaces make multi-module development feel natural, but the go.work file introduces a new trust boundary that can quietly override pinned versions and bypass checksum verification.

May 22, 20246 min read
Open Source Security

PyPI Package Yanking Policies Analyzed

Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, what it doesn't do, and when to use it instead of a delete.

May 22, 20247 min read
Open Source Security

.NET Supply Chain Audit Patterns

Auditing a .NET supply chain is a different exercise than auditing a JavaScript one, and the patterns that actually find problems are specific to how the ecosystem works.

May 18, 20246 min read
Open Source Security

Managing Python Package Namespace Conflicts

Python's flat namespace creates real security problems. Here is how namespace packages, shadowing, and install order interact, and how to avoid the surprises.

May 18, 20246 min read
Open Source Security

Rust no_std Supply Chain Considerations

Writing Rust for embedded or kernel targets drops you into no_std territory, and the supply chain rules are different there. A practical look at what changes and why.

May 15, 20247 min read
Open Source Security

The OSS Pledge: Adoption Tracking at Six Months

Six months after the OSS Pledge launch, adoption is climbing but uneven. Who signed, who followed through with funding, and what the pledge has actually shifted in open-source economics.

May 14, 20246 min read
Open Source Security

Kotlin Multiplatform Supply Chain Risks

Kotlin Multiplatform ships one codebase to JVM, iOS, Android, JS, and native targets. The supply chain surface expands in specific ways worth tracking.

May 12, 20246 min read
Open Source Security

CNCF Project Security Audits: What They Find and Why They Matter

The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns that every cloud native adopter should understand.

May 12, 20246 min read
Open Source Security (Page 28) — Supply Chain Security Blog | Safeguard