Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Single-Maintainer Bus Factor Risk in OSS

A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.

Mar 18, 20246 min read
Open Source Security

Ruby Gem Reserved Names Policy

How RubyGems.org handles reserved gem names, what protections exist for trademark holders, and where the policy creates friction for legitimate namespace claims.

Mar 15, 20248 min read
Open Source Security

PyPI Account Recovery: A Security Model Review

Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.

Mar 14, 20246 min read
Open Source Security

How to Publish an npm Package With Provenance

A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.

Mar 8, 20246 min read
Open Source Security

NuGet Package Signing: Enterprise Rollout

Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography problem. Here is how it actually goes.

Feb 25, 20246 min read
Open Source Security

Poetry and Python Supply Chain Security

Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.

Feb 22, 20246 min read
Open Source Security

go mod tidy: The Security Implications

Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.

Feb 10, 20247 min read
Open Source Security

npm Package Visibility Audit Techniques

Public when it should have been private. Private when it should have been archived. The state of npm package visibility across an organization is almost always worse than the team thinks.

Feb 10, 20246 min read
Open Source Security

npm audit vs pnpm audit vs yarn audit

Three audit tools, three philosophies, three blind spots. A ground-level comparison of how npm, pnpm, and yarn surface vulnerabilities, and where each one leaves you exposed.

Jan 20, 20247 min read
Open Source Security

How to Detect Typosquatting in Package Installs

Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.

Jan 15, 20245 min read
Open Source Security

npm Registry Governance and the Security of node_modules

The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.

Jan 8, 20247 min read
Open Source Security

npm Team Access Model Hardening

Npm's team-based permissions are more expressive than most organizations use. A walkthrough of the access model and the configurations that actually reduce blast radius.

Dec 22, 20237 min read
Open Source Security (Page 30) — Supply Chain Security Blog | Safeguard