Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Log4j Two Years Later: Are We Actually Safer?
Two years after Log4Shell shook the internet, many organizations still have vulnerable Log4j instances. The vulnerability changed how we think about supply chain security—but did it change how we act?
How to Verify a PyPI Package Before Install
A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.
Open Source Dependency Health Metrics That Actually Matter
Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to measure and more important to track.
npm Scripts Sandboxing Techniques
Postinstall scripts have been the supply-chain attacker's favorite tool for a decade. Here are the sandboxing techniques that actually work, ranked from cheap to serious.
How to Audit npm Postinstall Scripts Safely
Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postinstall hooks before they execute.
PyPI 2FA Enrollment: Enterprise Rollout
PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.
Python setuptools Security Considerations
setuptools is the default Python packaging backend and its security properties matter for anyone who builds, installs, or runs Python code. Here is what to watch.
OpenSSF Scorecard v5: Raising the Bar for Open Source Security
The latest release of OpenSSF Scorecard introduces new checks and improved accuracy, helping organizations make data-driven decisions about open source dependency risk.
Python Packaging Authority and the Security of pip install
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
Dependabot Security Updates: Behavior Deep Dive
A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.
Pipenv Security Posture Review
Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.
npm Lockfile v3 Security Improvements
Lockfile v3 is more than a format bump. It quietly fixed a class of integrity bugs that plagued v1 and v2, and the difference matters more than most teams realize.