Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Log4j Two Years Later: Are We Actually Safer?

Two years after Log4Shell shook the internet, many organizations still have vulnerable Log4j instances. The vulnerability changed how we think about supply chain security—but did it change how we act?

Dec 10, 20235 min read
Open Source Security

How to Verify a PyPI Package Before Install

A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.

Dec 5, 20235 min read
Open Source Security

Open Source Dependency Health Metrics That Actually Matter

Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to measure and more important to track.

Dec 5, 20236 min read
Open Source Security

npm Scripts Sandboxing Techniques

Postinstall scripts have been the supply-chain attacker's favorite tool for a decade. Here are the sandboxing techniques that actually work, ranked from cheap to serious.

Nov 30, 20236 min read
Open Source Security

How to Audit npm Postinstall Scripts Safely

Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postinstall hooks before they execute.

Nov 22, 20234 min read
Open Source Security

PyPI 2FA Enrollment: Enterprise Rollout

PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.

Oct 28, 20236 min read
Open Source Security

Python setuptools Security Considerations

setuptools is the default Python packaging backend and its security properties matter for anyone who builds, installs, or runs Python code. Here is what to watch.

Oct 5, 20237 min read
Open Source Security

OpenSSF Scorecard v5: Raising the Bar for Open Source Security

The latest release of OpenSSF Scorecard introduces new checks and improved accuracy, helping organizations make data-driven decisions about open source dependency risk.

Oct 5, 20235 min read
Open Source Security

Python Packaging Authority and the Security of pip install

Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.

Sep 15, 20237 min read
Open Source Security

Dependabot Security Updates: Behavior Deep Dive

A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.

Sep 12, 20235 min read
Open Source Security

Pipenv Security Posture Review

Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.

Aug 30, 20236 min read
Open Source Security

npm Lockfile v3 Security Improvements

Lockfile v3 is more than a format bump. It quietly fixed a class of integrity bugs that plagued v1 and v2, and the difference matters more than most teams realize.

Aug 10, 20236 min read
Open Source Security (Page 31) — Supply Chain Security Blog | Safeguard