Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

129 articles

Open Source Security

The security risk of LLMs reviving abandoned open-source packages

USENIX Security 2025 found 19.7% of LLM code samples hallucinate a package name — and real, dormant packages carry the same blind trust.

Jul 8, 20267 min read
Open Source Security

Managing Open Source Component Risk at Scale

A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.

Jul 7, 20268 min read
DevSecOps

What a good AI remediation agent needs to fix dependencies safely

Snyk's CLI remediation agent pushed fix rates from 23% to 45% with an intelligence layer — but the harder problem is making an agent developers trust to touch their lockfile unsupervised.

Jul 7, 20266 min read
Security Guides

Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk

Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.

Jul 6, 20266 min read
Security Guides

JavaScript Dependency Vulnerability Scanning: Beyond npm audit

npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.

Jul 6, 20266 min read
DevSecOps

Dependency Management Best Practices for Secure Software

Your app is mostly other people's code. A 2026 guide to managing dependencies securely — lockfiles, provenance, SBOMs, update strategy, and reachability — so a bad package doesn't become your breach.

Jul 4, 20265 min read
FAQ

Dependency Management: Frequently Asked Questions

A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.

Jul 4, 20266 min read
Security Guides

Gradle Dependency Security: Locking, Verification, and Version Catalogs

Secure Gradle builds in 2026 with dependency locking, cryptographic dependency verification, version catalogs, and reachability-aware CVE scanning.

Jul 4, 20265 min read
Career

How to Get Into Software Supply Chain Security

Software supply chain security is one of the hottest specialties in the field—and one of the least crowded. Here is how students and career-changers can break into it, from the core concepts to a portfolio that stands out.

Jul 4, 20266 min read
Security Guides

Maven Dependency Security: Pinning, Verification, and Scanning

How to secure a Maven build in 2026 — pin versions, enforce convergence, verify artifacts, and scan the transitive tree that pom.xml never shows you.

Jul 3, 20265 min read
Open Source Security

Auto-triage rules for Dependabot pull requests at scale

Dependabot floods teams with PRs, but not every alert deserves equal attention. Here's how auto-triage rules cut noise at scale, and where GHAS falls short.

Jun 29, 20268 min read
SBOM

Shadow Risks: Unmanaged and Unauthorized Dependencies

Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.

Jun 4, 20268 min read
dependency-management (Page 2) — Safeguard Blog