Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Spring Dependency Management Supply Chain
Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.
npm Registry Authentication Deep Dive
The npm registry supports four distinct authentication flows. Most teams use one, badly. A tour of how auth actually works, what the tokens look like, and where the model breaks.
PyPI Supply Chain Attacks: Q1 2024 Roundup
Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked like and how to defend.
PyPI Package Namespace Governance
PyPI's flat global namespace is one of Python packaging's oldest design decisions. How it's governed today, where the tension points are, and what the PEP 752 debate means for the future.
RubyGems 2FA Enforcement Analysis
A look at how RubyGems.org rolled out mandatory 2FA for high-traffic gem maintainers, what it has caught, and what gaps still remain in the account-compromise defense story.
Go Dependency Visualization for Security
The Go module graph is comparatively small, which makes it one of the few ecosystems where visualizing dependencies is actually useful for security review rather than just pretty.
PowerShell Module Supply Chain Security
PowerShell modules are a supply chain people forget exists, and the trust model is weaker than NuGet's. Here is why that matters.
cargo audit vs cargo deny
A practical head-to-head between cargo-audit 0.21 and cargo-deny 0.16 based on six months of running both in production CI pipelines.
Forking Security: What Happens When Open Source Projects Diverge
When an open source project forks, the security implications cascade through every downstream consumer. Understanding fork dynamics is essential for managing supply chain risk.
Go Proxy and Private Module Security
Mixing public and private modules through a Go proxy is where most teams get their configuration wrong, and the mistakes range from leaked module names to accepted unverified code.
Maven Enforcer Plugin Security Rules
Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.
Rust Build Scripts: A Supply Chain Risk Profile
Why build.rs is the highest-leverage attack surface in the Rust ecosystem, with concrete examples from 2023 and 2024 incidents.