Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Spring Dependency Management Supply Chain

Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.

Apr 30, 20247 min read
Open Source Security

npm Registry Authentication Deep Dive

The npm registry supports four distinct authentication flows. Most teams use one, badly. A tour of how auth actually works, what the tokens look like, and where the model breaks.

Apr 25, 20247 min read
Open Source Security

PyPI Supply Chain Attacks: Q1 2024 Roundup

Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked like and how to defend.

Apr 22, 20245 min read
Open Source Security

PyPI Package Namespace Governance

PyPI's flat global namespace is one of Python packaging's oldest design decisions. How it's governed today, where the tension points are, and what the PEP 752 debate means for the future.

Apr 18, 20246 min read
Open Source Security

RubyGems 2FA Enforcement Analysis

A look at how RubyGems.org rolled out mandatory 2FA for high-traffic gem maintainers, what it has caught, and what gaps still remain in the account-compromise defense story.

Apr 18, 20247 min read
Open Source Security

Go Dependency Visualization for Security

The Go module graph is comparatively small, which makes it one of the few ecosystems where visualizing dependencies is actually useful for security review rather than just pretty.

Apr 12, 20247 min read
Open Source Security

PowerShell Module Supply Chain Security

PowerShell modules are a supply chain people forget exists, and the trust model is weaker than NuGet's. Here is why that matters.

Apr 8, 20247 min read
Open Source Security

cargo audit vs cargo deny

A practical head-to-head between cargo-audit 0.21 and cargo-deny 0.16 based on six months of running both in production CI pipelines.

Apr 5, 20246 min read
Open Source Security

Forking Security: What Happens When Open Source Projects Diverge

When an open source project forks, the security implications cascade through every downstream consumer. Understanding fork dynamics is essential for managing supply chain risk.

Apr 2, 20246 min read
Open Source Security

Go Proxy and Private Module Security

Mixing public and private modules through a Go proxy is where most teams get their configuration wrong, and the mistakes range from leaked module names to accepted unverified code.

Mar 28, 20246 min read
Open Source Security

Maven Enforcer Plugin Security Rules

Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.

Mar 25, 20247 min read
Open Source Security

Rust Build Scripts: A Supply Chain Risk Profile

Why build.rs is the highest-leverage attack surface in the Rust ecosystem, with concrete examples from 2023 and 2024 incidents.

Mar 20, 20246 min read
Open Source Security (Page 29) — Supply Chain Security Blog | Safeguard