Supply Chain
In-depth guides and analysis on supply chain from the Safeguard engineering team.
46 articles
How to Fix a Vulnerable Transitive Dependency in npm
The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.
SCA Scanning: What It Catches in Practice
SCA scanning finds known CVEs in your open-source dependencies and license conflicts you didn't know you'd agreed to — here's exactly what a scan catches, in order of how often it actually matters.
Shai-Hulud: The Self-Replicating npm Worm That Hit 500+ Packages
On September 15, 2025, a self-replicating npm worm dubbed Shai-Hulud backdoored more than 500 packages, including @ctrl/tinycolor and CrowdStrike libraries, by pivoting through stolen publish tokens.
@ctrl/tinycolor and the 40-Package npm Wave of September 2025
@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.
SCA vs Static Code Analysis: The Real Difference
Software composition analysis and static code analysis get lumped together constantly, but they read entirely different things and catch entirely different bugs.
What Is a Software Ingredient Label?
Food gets an ingredient panel; software gets an SBOM. What a software ingredient label contains, who is demanding one, and how to generate yours automatically.
Nx s1ngularity: The First AI-Aware Supply Chain Worm
On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.
SCA Security Testing: A Workflow Guide
SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.
Open Source Code Scanning: Tools and Workflow
Open source code scanning tools can cover most of a small team's needs for free, but the workflow around them — what runs where, and who reviews the output — matters more than which tool you pick.
Snyk SBOM Generation: How It Works
How Snyk builds a software bill of materials from a dependency scan, what formats it exports, and where teams still need to fill gaps manually.
SCA Security: What Software Composition Analysis Actually Catches
SCA security scans the open source dependencies that make up most of your codebase, finding known CVEs, risky licenses, and malicious packages. Here is what it catches — and what it does not.
What Is SBOM Security, and Why Does It Matter?
SBOM security is the practice of using a software bill of materials to actually find and act on risk in your dependencies, not just to produce a compliance document.