dependencies
Safeguard articles tagged "dependencies" — guides, analysis, and best practices for software supply chain and application security.
52 articles
Software Supply Chain Security for Developers
For developers, supply chain security lives or dies in the pull request. Here is how to keep it there: catch real risk early, fix it in minutes, and never lose an afternoon to noise.
Understanding Dependency Trees
The libraries you install are only the tip of the iceberg. Each one pulls in its own dependencies, which pull in more, forming a tree that can run hundreds of packages deep. Understanding that tree is the first step to securing it.
What Is Software Composition Analysis (SCA)?
Software Composition Analysis (SCA) identifies the open source and third-party components in your code, then flags their known vulnerabilities and license risks. Here's how SCA works and what separates modern tools from legacy scanners.
How to Check if an npm Package Is Safe
Before you run npm install, learn a quick, repeatable routine to judge whether an npm package is trustworthy — using metadata, known vulnerabilities, and a scan.
Introduction to Software Supply Chain Security
Modern software is assembled from far more code than any one team writes. Software supply chain security protects every dependency, build tool, and pipeline that goes into the finished product. Here is the foundational picture.
Is Lodash Safe? A 2026 Security Guide
Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.
npm audit: The Complete Guide to Auditing Node.js Dependencies
How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.
Auditing Python Dependencies with pip-audit: A Practical Guide
pip-audit is the PyPA-backed tool for scanning Python dependencies against the OSV and PyPI advisory databases. Here is how to run it well — and where it needs backup.
SBOM vs SCA: What's the Difference?
An SBOM is a list of what's in your software. SCA is the practice of analyzing that list for risk. One is an artifact; the other is an activity.
TensorFlow Security Guide (2026)
TensorFlow is one of the most widely deployed machine-learning frameworks — and its history of model-deserialization RCE and crafted-tensor memory bugs makes its version and loading habits genuinely security-relevant.
Dependency Update Triage Strategy for Eng Teams
An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in the right conversation.
What Is Patch Management?
Patch management is the process of finding, testing, and deploying software updates that fix bugs and security flaws. Learn the lifecycle, prioritization, and why it matters.