dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
HIPAA and Third-Party Software Components: A Developer Guide
HIPAA never mentions npm, but a vulnerable dependency in an ePHI system is a Security Rule problem. How risk analysis, patching, and BAAs map to your dependency tree.
Payment Processor Dependency Risks
The libraries and services that sit between a merchant and the card networks carry concentrated risk. A practical look at what goes wrong, and how to build a dependency program that catches it.
SBOM Visualization Tools Compared: Making Dependency Data Actionable
An SBOM in JSON or XML format is data. A visualization turns that data into insight. This comparison examines how different tools present SBOM data and which approaches work best for different audiences.
Spring Dependency Management Supply Chain
Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.
PHP Composer Security: Lockfiles, Packagist and Abandoned Packages
composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.
CVE-2022-31129: The Day.js ReDoS Vulnerability, Explained
CVE-2022-31129 is a regular expression denial of service in Day.js's custom parse format handling. Here's what triggered it, why it's still showing up in scans, and how it was fixed.
jQuery 3.5.1 Vulnerabilities: What Was Actually Fixed
jQuery 3.5.1 closed a second cross-site scripting hole in the htmlPrefilter regex that 3.5.0 had only partially patched — here's exactly what changed and why old jQuery bundles still trip scanners.
What Are Dependencies in Software?
A plain-English definition of software dependencies, how direct and transitive dependencies differ, and why most projects ship far more third-party code than code their own team wrote.
Endor Labs SCA Review: Reachability Analysis Changes the Game
A review of Endor Labs and its reachability-based approach to software composition analysis, examining how call graph analysis reduces vulnerability noise.
Netflix's Open-Source Security Approach
How Netflix manages security across hundreds of open-source projects and thousands of internal dependencies while maintaining the velocity that streaming demands.
Monorepo Security: Dependency Management at Scale
Monorepos centralize code but create unique security challenges. Learn how to manage shared dependencies, enforce security policies, and maintain SBOMs across a monorepo architecture.
RubyGems Yanked Gems: Security Risks of Removed Ruby Packages
When a Ruby gem is yanked from RubyGems.org, it creates security risks for projects that depended on it. Understanding the yanking mechanism is critical for Ruby supply chain security.