Safeguard
Tag

dependencies

Safeguard articles tagged "dependencies" — guides, analysis, and best practices for software supply chain and application security.

52 articles

Solutions

Software Supply Chain Security for Developers

For developers, supply chain security lives or dies in the pull request. Here is how to keep it there: catch real risk early, fix it in minutes, and never lose an afternoon to noise.

Jul 2, 20266 min read
Concepts

Understanding Dependency Trees

The libraries you install are only the tip of the iceberg. Each one pulls in its own dependencies, which pull in more, forming a tree that can run hundreds of packages deep. Understanding that tree is the first step to securing it.

Jul 2, 20267 min read
Concepts

What Is Software Composition Analysis (SCA)?

Software Composition Analysis (SCA) identifies the open source and third-party components in your code, then flags their known vulnerabilities and license risks. Here's how SCA works and what separates modern tools from legacy scanners.

Jul 1, 20266 min read
Tutorials

How to Check if an npm Package Is Safe

Before you run npm install, learn a quick, repeatable routine to judge whether an npm package is trustworthy — using metadata, known vulnerabilities, and a scan.

Jul 1, 20265 min read
Concepts

Introduction to Software Supply Chain Security

Modern software is assembled from far more code than any one team writes. Software supply chain security protects every dependency, build tool, and pipeline that goes into the finished product. Here is the foundational picture.

Jul 1, 20266 min read
Security Guides

Is Lodash Safe? A 2026 Security Guide

Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.

Jul 1, 20266 min read
Security Guides

npm audit: The Complete Guide to Auditing Node.js Dependencies

How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.

Jul 1, 20266 min read
Security Guides

Auditing Python Dependencies with pip-audit: A Practical Guide

pip-audit is the PyPA-backed tool for scanning Python dependencies against the OSV and PyPI advisory databases. Here is how to run it well — and where it needs backup.

Jul 1, 20265 min read
Concepts

SBOM vs SCA: What's the Difference?

An SBOM is a list of what's in your software. SCA is the practice of analyzing that list for risk. One is an artifact; the other is an activity.

Jul 1, 20266 min read
Security Guides

TensorFlow Security Guide (2026)

TensorFlow is one of the most widely deployed machine-learning frameworks — and its history of model-deserialization RCE and crafted-tensor memory bugs makes its version and loading habits genuinely security-relevant.

Jul 1, 20266 min read
DevSecOps

Dependency Update Triage Strategy for Eng Teams

An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in the right conversation.

Feb 26, 20267 min read
Concepts

What Is Patch Management?

Patch management is the process of finding, testing, and deploying software updates that fix bugs and security flaws. Learn the lifecycle, prioritization, and why it matters.

Feb 6, 20266 min read
dependencies (Page 3) — Safeguard Blog