dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
The security risk of LLMs reviving abandoned open-source packages
USENIX Security 2025 found 19.7% of LLM code samples hallucinate a package name — and real, dormant packages carry the same blind trust.
Managing Open Source Component Risk at Scale
A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.
What a good AI remediation agent needs to fix dependencies safely
Snyk's CLI remediation agent pushed fix rates from 23% to 45% with an intelligence layer — but the harder problem is making an agent developers trust to touch their lockfile unsupervised.
Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk
Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.
JavaScript Dependency Vulnerability Scanning: Beyond npm audit
npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.
Dependency Management Best Practices for Secure Software
Your app is mostly other people's code. A 2026 guide to managing dependencies securely — lockfiles, provenance, SBOMs, update strategy, and reachability — so a bad package doesn't become your breach.
Dependency Management: Frequently Asked Questions
A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.
Gradle Dependency Security: Locking, Verification, and Version Catalogs
Secure Gradle builds in 2026 with dependency locking, cryptographic dependency verification, version catalogs, and reachability-aware CVE scanning.
How to Get Into Software Supply Chain Security
Software supply chain security is one of the hottest specialties in the field—and one of the least crowded. Here is how students and career-changers can break into it, from the core concepts to a portfolio that stands out.
Maven Dependency Security: Pinning, Verification, and Scanning
How to secure a Maven build in 2026 — pin versions, enforce convergence, verify artifacts, and scan the transitive tree that pom.xml never shows you.
Auto-triage rules for Dependabot pull requests at scale
Dependabot floods teams with PRs, but not every alert deserves equal attention. Here's how auto-triage rules cut noise at scale, and where GHAS falls short.
Shadow Risks: Unmanaged and Unauthorized Dependencies
Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.