Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

128 articles

Best Practices

Secure Coding Fundamentals: A No-Jargon Checklist for New Developers

Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.

Jul 15, 20267 min read
Supply Chain Security

A four-surface framework for software supply-chain risk

Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.

Jul 14, 20267 min read
Open Source Security

Bundler dependency resolution and safe Gemfile upgrade strategies

In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.

Jul 11, 20266 min read
Best Practices

Auditing and pinning transitive Java dependencies with Maven and Gradle

Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.

Jul 10, 20266 min read
Open Source Security

The 4 dimensions of open-source dependency risk

Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.

Jul 9, 20267 min read
Guides

Dependency Management for Beginners: Keeping Your Borrowed Code Healthy

Most of your application is packages other people wrote. Dependency management is the everyday craft of choosing them well, updating them safely, and keeping them from becoming a liability. Here is a friendly guide with a first step to try today.

Jul 8, 20266 min read
AI Security

AI-assisted vulnerability remediation patterns: what to verify before you merge

GitHub reports its Copilot Autofix suggestions resolve two-thirds of flagged vulnerabilities with little or no editing — but the other third is where merges go wrong.

Jul 8, 20267 min read
DevSecOps

The AppSec Program Spring-Cleaning Checklist

The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.

Jul 8, 20266 min read
Open Source Security

What the curl CVE disclosures teach about patching embedded C libraries

curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.

Jul 8, 20267 min read
Open Source Security

Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs

Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.

Jul 8, 20267 min read
Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Best Practices

Node.js backend architecture patterns for 2026

Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.

Jul 8, 20267 min read
dependency-management — Safeguard Blog