Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
PHP / Composer Supply Chain Defence 2026
A 2026 supply chain defence for PHP and Composer — covering Packagist, composer.lock, autoload manipulation, and Laravel — backed by Safeguard.
JSR JavaScript Registry Security Model
JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.
PyPI 2FA Lessons Two Years In
PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC tokens, abandoned packages, and maintainer devices.
Swift And CocoaPods Supply Chain Program
A 2026 supply chain program for Swift apps — covering SPM, CocoaPods, XCFrameworks, and notarisation — anchored by Safeguard policy and SBOM evidence.
Composer/PHP Package Supply Chain in 2026
PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.
Typosquatting packages
What is typosquatting? A precise breakdown of package typosquatting attacks, real npm and PyPI examples, and how lookalike malicious packages slip into builds.
The OSV Vulnerability Database API Cookbook
Practical patterns for using the OSV.dev API in production: batch queries, schema gotchas, version range parsing, and how to integrate OSV data into your own vulnerability pipelines.
Polyglot Monorepo: Unified Supply Chain Program
A 2026 unified supply chain program for polyglot monorepos — bringing Node, Python, Go, Java, and more under one set of policies — anchored by Safeguard.
JSR/Deno Package Ecosystem Supply Chain
JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what it gets right and what it has not solved yet.
OpenSSL vs LibreSSL vs BoringSSL in 2026
A 2026 comparison of OpenSSL, LibreSSL, and BoringSSL on security posture, release cadence, FIPS posture, and which one to ship in which context.
pnpm and Yarn Modern Lockfile Security
pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.
cargo-audit and cargo-deny: A Real Workflow
A senior-engineer-grade workflow for using cargo-audit and cargo-deny together, with realistic policy decisions and the mistakes teams repeat.