Safeguard
Tag

dependencies

Safeguard articles tagged "dependencies" — guides, analysis, and best practices for software supply chain and application security.

52 articles

Open Source

Open Source Risk Management: Beyond Vulnerability Scanning

Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.

Jan 5, 20263 min read
Best Practices

Bounty Program Scoping for Dependencies

How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.

Apr 8, 20258 min read
Open Source Security

Rust Feature Flags: Supply Chain Implications

Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. Here is why.

Sep 12, 20247 min read
Best Practices

Dependency Compromise Timeline Reconstruction

How to rebuild a precise timeline after a dependency has been compromised, using lockfile history, registry metadata, and CI logs.

Jul 28, 20246 min read
DevSecOps

How to Measure Dependency Freshness in CI

A practical CI tutorial for measuring dependency freshness, setting SLOs for version drift, and failing builds when packages fall too far behind upstream.

May 20, 20246 min read
Developer Security

Flutter and Dart Dependency Security: A Practical Guide

Flutter apps pull dozens of Dart packages from pub.dev. Most teams never audit them. Here is how to manage dependency security in the Flutter ecosystem without slowing down development.

Mar 12, 20246 min read
Open Source Security

go mod tidy: The Security Implications

Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.

Feb 10, 20247 min read
Lifecycle Management

Software Component Lifecycle Management

Components do not stay secure forever. This guide covers managing the full lifecycle of software dependencies -- from adoption through deprecation -- with a focus on security and operational continuity.

Jan 15, 20247 min read
Threat Intelligence

Threat Hunting in the Software Supply Chain

Proactive threat hunting techniques adapted for software supply chain security—because waiting for alerts isn't enough when adversaries hide in your dependencies.

Aug 18, 20236 min read
Dependency Management

The Security Implications of Semantic Versioning

Semver promises predictability in dependency management. In practice, it creates a trust model with serious security implications that most developers do not consider.

Apr 28, 20236 min read
Analysis

Dependency Pinning vs. Ranges: The Tradeoffs

Should you pin exact dependency versions or use ranges? The answer is more nuanced than most teams think, and getting it wrong has real security implications.

Jan 25, 20236 min read
Software Supply Chain Security

Memory Safety Bugs in C/C++ Dependencies: The Hidden Risk in Your Software Supply Chain

C and C++ libraries still power critical infrastructure everywhere. Their memory safety issues are your problem whether you write C or not.

Jul 8, 20226 min read
dependencies (Page 4) — Safeguard Blog