dependencies
Safeguard articles tagged "dependencies" — guides, analysis, and best practices for software supply chain and application security.
52 articles
Open Source Risk Management: Beyond Vulnerability Scanning
Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.
Bounty Program Scoping for Dependencies
How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.
Rust Feature Flags: Supply Chain Implications
Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. Here is why.
Dependency Compromise Timeline Reconstruction
How to rebuild a precise timeline after a dependency has been compromised, using lockfile history, registry metadata, and CI logs.
How to Measure Dependency Freshness in CI
A practical CI tutorial for measuring dependency freshness, setting SLOs for version drift, and failing builds when packages fall too far behind upstream.
Flutter and Dart Dependency Security: A Practical Guide
Flutter apps pull dozens of Dart packages from pub.dev. Most teams never audit them. Here is how to manage dependency security in the Flutter ecosystem without slowing down development.
go mod tidy: The Security Implications
Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.
Software Component Lifecycle Management
Components do not stay secure forever. This guide covers managing the full lifecycle of software dependencies -- from adoption through deprecation -- with a focus on security and operational continuity.
Threat Hunting in the Software Supply Chain
Proactive threat hunting techniques adapted for software supply chain security—because waiting for alerts isn't enough when adversaries hide in your dependencies.
The Security Implications of Semantic Versioning
Semver promises predictability in dependency management. In practice, it creates a trust model with serious security implications that most developers do not consider.
Dependency Pinning vs. Ranges: The Tradeoffs
Should you pin exact dependency versions or use ranges? The answer is more nuanced than most teams think, and getting it wrong has real security implications.
Memory Safety Bugs in C/C++ Dependencies: The Hidden Risk in Your Software Supply Chain
C and C++ libraries still power critical infrastructure everywhere. Their memory safety issues are your problem whether you write C or not.