dependencies
Safeguard articles tagged "dependencies" — guides, analysis, and best practices for software supply chain and application security.
52 articles
Jackson-databind Security Guide (2026)
Jackson-databind is the default JSON engine for the Java ecosystem — and the source of one of the longest deserialization CVE sagas in open source. Here is how to run it safely.
Scanning NuGet Packages for Vulnerabilities in .NET
The .NET SDK ships a built-in vulnerability scanner: dotnet list package --vulnerable. Here is how to audit NuGet dependencies with it — and where to go beyond it.
Auditing Rust Dependencies with cargo-audit
cargo-audit checks your Cargo.lock against the RustSec Advisory Database, flagging vulnerable, yanked, and unmaintained crates. Here is how to use it and extend it.
Auditing Go Modules with govulncheck
govulncheck is unusual: it uses static analysis to tell you not just which Go dependencies are vulnerable, but whether your code actually reaches the vulnerable function.
pandas Security Guide (2026)
pandas is the backbone of Python data analysis — and while its own CVE record is thin, the read_pickle deserialization risk is real, the query/eval expression engine invites injection, and most 'pandas findings' actually live in its dependency tree.
Requests (Python) Security Guide (2026)
The Requests library is how most Python code talks HTTP — and a recurring class of credential-leak-on-redirect CVEs makes its version and config genuinely security-relevant.
What Is a Software Dependency
A software dependency is outside code your program relies on to run. Here is what dependencies are, why modern apps have so many, and why they matter for security.
Express.js Security Guide (2026)
Express is the default web framework for Node.js — and a small, deep dependency tree that has produced open-redirect, XSS, and ReDoS CVEs. Here is how to run Express safely in 2026.
Auditing Maven Dependencies with OWASP Dependency-Check
OWASP Dependency-Check is the classic way to scan Java and Maven projects against the NVD. Learn to run it, tame its false positives, and move beyond CPE matching.
NumPy Security Guide (2026)
NumPy is the numerical foundation of the Python data ecosystem — and while many of its CVEs are disputed, the pickle-based numpy.load deserialization risk is real and worth understanding.
SBOM for Beginners: What a Software Bill of Materials Really Is
Modern software is assembled from hundreds of parts you did not write. An SBOM is the ingredient label that lists them all. Here is a warm, beginner-friendly tour with a first SBOM you can generate today.
SCA for Beginners: Understanding Software Composition Analysis
Most of your application is code you did not write. Software Composition Analysis helps you keep that borrowed code safe. Here is a beginner-friendly tour with a first scan you can run today.