Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

129 articles

Compliance

HIPAA and Third-Party Software Components: A Developer Guide

HIPAA never mentions npm, but a vulnerable dependency in an ePHI system is a Security Rule problem. How risk analysis, patching, and BAAs map to your dependency tree.

Jun 23, 20246 min read
Best Practices

Payment Processor Dependency Risks

The libraries and services that sit between a merchant and the card networks carry concentrated risk. A practical look at what goes wrong, and how to build a dependency program that catches it.

Jun 18, 20247 min read
SBOM and Compliance

SBOM Visualization Tools Compared: Making Dependency Data Actionable

An SBOM in JSON or XML format is data. A visualization turns that data into insight. This comparison examines how different tools present SBOM data and which approaches work best for different audiences.

May 20, 20246 min read
Open Source Security

Spring Dependency Management Supply Chain

Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.

Apr 30, 20247 min read
Engineering

PHP Composer Security: Lockfiles, Packagist and Abandoned Packages

composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.

Apr 18, 20246 min read
Vulnerabilities

CVE-2022-31129: The Day.js ReDoS Vulnerability, Explained

CVE-2022-31129 is a regular expression denial of service in Day.js's custom parse format handling. Here's what triggered it, why it's still showing up in scans, and how it was fixed.

Mar 19, 20245 min read
Vulnerabilities

jQuery 3.5.1 Vulnerabilities: What Was Actually Fixed

jQuery 3.5.1 closed a second cross-site scripting hole in the htmlPrefilter regex that 3.5.0 had only partially patched — here's exactly what changed and why old jQuery bundles still trip scanners.

Mar 14, 20245 min read
Dev Practices

What Are Dependencies in Software?

A plain-English definition of software dependencies, how direct and transitive dependencies differ, and why most projects ship far more third-party code than code their own team wrote.

Mar 14, 20246 min read
Tool Reviews

Endor Labs SCA Review: Reachability Analysis Changes the Game

A review of Endor Labs and its reachability-based approach to software composition analysis, examining how call graph analysis reduces vulnerability noise.

Mar 12, 20246 min read
Case Studies

Netflix's Open-Source Security Approach

How Netflix manages security across hundreds of open-source projects and thousands of internal dependencies while maintaining the velocity that streaming demands.

Jan 22, 20247 min read
Architecture

Monorepo Security: Dependency Management at Scale

Monorepos centralize code but create unique security challenges. Learn how to manage shared dependencies, enforce security policies, and maintain SBOMs across a monorepo architecture.

Dec 3, 20238 min read
Software Supply Chain Security

RubyGems Yanked Gems: Security Risks of Removed Ruby Packages

When a Ruby gem is yanked from RubyGems.org, it creates security risks for projects that depended on it. Understanding the yanking mechanism is critical for Ruby supply chain security.

Nov 5, 20235 min read
dependency-management (Page 10) — Safeguard Blog