Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Single-Maintainer Bus Factor Risk in OSS
A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.
Ruby Gem Reserved Names Policy
How RubyGems.org handles reserved gem names, what protections exist for trademark holders, and where the policy creates friction for legitimate namespace claims.
PyPI Account Recovery: A Security Model Review
Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.
How to Publish an npm Package With Provenance
A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.
NuGet Package Signing: Enterprise Rollout
Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography problem. Here is how it actually goes.
Poetry and Python Supply Chain Security
Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.
go mod tidy: The Security Implications
Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.
npm Package Visibility Audit Techniques
Public when it should have been private. Private when it should have been archived. The state of npm package visibility across an organization is almost always worse than the team thinks.
npm audit vs pnpm audit vs yarn audit
Three audit tools, three philosophies, three blind spots. A ground-level comparison of how npm, pnpm, and yarn surface vulnerabilities, and where each one leaves you exposed.
How to Detect Typosquatting in Package Installs
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
npm Registry Governance and the Security of node_modules
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
npm Team Access Model Hardening
Npm's team-based permissions are more expressive than most organizations use. A walkthrough of the access model and the configurations that actually reduce blast radius.