dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
Dependabot Alternatives in 2026: An Honest Buyer's Guide
An honest guide to Dependabot alternatives in 2026 — Renovate, Snyk, Socket, Endor Labs, Mend, and Safeguard — covering dependency updates, reachability analysis, malicious-package detection, and software supply chain security.
10 npm security best practices
Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.
Python security best practices cheat sheet
A no-fluff cheat sheet of concrete Python security fixes—dependency pinning, pickle/eval risks, PyPI trust signals, and CI gates—with real CVEs and commands.
Better Ruby Gemfile security: a step-by-step guide
A step-by-step guide to auditing your Gemfile.lock, spotting RubyGems supply chain attacks, and locking down Ruby dependencies before they ship.
6 Angular security best practices cheat sheet
A six-part cheat sheet on Angular security: sanitizer limits, AngularJS EOL, dependency risk, token storage, CSP nonces, and library auditing.
10 Spring Boot security best practices
Ten concrete Spring Boot security practices, with real CVEs, config flags, and file paths, to close the gaps attackers actually exploit.
Fixing vulnerabilities in Maven projects
Maven vulnerability remediation isn't just running mvn versions:use-latest — here's how to triage, patch, and verify fixes without breaking builds.
Fixing vulnerabilities in Gradle projects
Gradle's resolved dependency graph rarely matches build.gradle. Here's how to find, force-fix, and lock vulnerable transitive dependencies for good.
The ultimate guide to creating a secure Python package
A concrete, numbers-first guide to locking dependencies, signing releases, and scanning for CVEs when building a secure Python package.
.NET and NuGet dependency vulnerability management
NuGet packages have delivered RATs, crypto stealers, and undisclosed data collection to .NET teams. Here's how to detect and defend against .NET/NuGet supply chain risk.
Socket.dev vs Dependabot: beyond automated dependency upd...
Dependabot patches known CVEs; Socket.dev flags risky package behavior. Neither enforces policy or ties risk to your actual build and runtime footprint — here's where Safeguard fits.
npm/package health and quality scoring methodology
How npm package health scores are calculated, why Socket.dev's model misses live supply chain attacks, and what Safeguard checks instead.