dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
128 articles
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
A four-surface framework for software supply-chain risk
Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.
Bundler dependency resolution and safe Gemfile upgrade strategies
In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.
Auditing and pinning transitive Java dependencies with Maven and Gradle
Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.
The 4 dimensions of open-source dependency risk
Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.
Dependency Management for Beginners: Keeping Your Borrowed Code Healthy
Most of your application is packages other people wrote. Dependency management is the everyday craft of choosing them well, updating them safely, and keeping them from becoming a liability. Here is a friendly guide with a first step to try today.
AI-assisted vulnerability remediation patterns: what to verify before you merge
GitHub reports its Copilot Autofix suggestions resolve two-thirds of flagged vulnerabilities with little or no editing — but the other third is where merges go wrong.
The AppSec Program Spring-Cleaning Checklist
The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.
What the curl CVE disclosures teach about patching embedded C libraries
curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.
Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs
Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.
Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard
Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.
Node.js backend architecture patterns for 2026
Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.