Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

PHP / Composer Supply Chain Defence 2026

A 2026 supply chain defence for PHP and Composer — covering Packagist, composer.lock, autoload manipulation, and Laravel — backed by Safeguard.

Mar 10, 20267 min read
Open Source Security

JSR JavaScript Registry Security Model

JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.

Mar 8, 20265 min read
Open Source Security

PyPI 2FA Lessons Two Years In

PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC tokens, abandoned packages, and maintainer devices.

Mar 6, 20267 min read
Open Source Security

Swift And CocoaPods Supply Chain Program

A 2026 supply chain program for Swift apps — covering SPM, CocoaPods, XCFrameworks, and notarisation — anchored by Safeguard policy and SBOM evidence.

Mar 5, 20267 min read
Open Source Security

Composer/PHP Package Supply Chain in 2026

PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.

Mar 5, 20268 min read
Open Source Security

Typosquatting packages

What is typosquatting? A precise breakdown of package typosquatting attacks, real npm and PyPI examples, and how lookalike malicious packages slip into builds.

Mar 3, 20266 min read
Open Source Security

The OSV Vulnerability Database API Cookbook

Practical patterns for using the OSV.dev API in production: batch queries, schema gotchas, version range parsing, and how to integrate OSV data into your own vulnerability pipelines.

Mar 2, 20265 min read
Open Source Security

Polyglot Monorepo: Unified Supply Chain Program

A 2026 unified supply chain program for polyglot monorepos — bringing Node, Python, Go, Java, and more under one set of policies — anchored by Safeguard.

Feb 28, 20267 min read
Open Source Security

JSR/Deno Package Ecosystem Supply Chain

JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what it gets right and what it has not solved yet.

Feb 28, 20267 min read
Open Source Security

OpenSSL vs LibreSSL vs BoringSSL in 2026

A 2026 comparison of OpenSSL, LibreSSL, and BoringSSL on security posture, release cadence, FIPS posture, and which one to ship in which context.

Feb 26, 20265 min read
Open Source Security

pnpm and Yarn Modern Lockfile Security

pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.

Feb 24, 20267 min read
Open Source Security

cargo-audit and cargo-deny: A Real Workflow

A senior-engineer-grade workflow for using cargo-audit and cargo-deny together, with realistic policy decisions and the mistakes teams repeat.

Feb 20, 20267 min read
Open Source Security (Page 7) — Supply Chain Security Blog | Safeguard