dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
Minimum release age / cooldown policies for new package v...
A cooldown on new npm package versions can block malicious releases before they reach your build. Here's how minimum release age policies work.
Dependabot Alternatives in 2026: A Buyer Rubric
A buyer rubric for evaluating Dependabot alternatives in 2026, covering update strategy, ecosystem coverage, reachability, and operational realities.
Regular expression DoS in the ms npm package
A ReDoS flaw in the ubiquitous npm package ms (CVE-2015-8315) still surfaces in dependency scans today. Here's the impact, fix, and remediation steps.
Patch management strategies for open source dependencies
A practical guide to patch management for open source dependencies: prioritizing by reachability and EPSS, not CVSS alone, and building a repeatable remediation loop.
What to check before installing an open source package
A practical guide to vetting open source packages before you install them — real incidents, concrete checks, and how reachability analysis cuts through CVE noise.
Open Source Sustainability Is an Attack Surface Problem
Unmaintained, underfunded open source is not just a reliability risk — it is how attackers get in. The xz Utils backdoor proved that maintainer burnout is a security vulnerability with a CVE number.
What Are Transitive Dependencies
Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.
Direct vs Transitive Dependencies
Most known vulnerabilities live in transitive dependencies, not the ones in your manifest. Here's how to tell them apart and prioritize what's exploitable.
Software Dependencies: How to Manage Them at Scale
Most apps run 10-20x more dependencies than engineers chose. Here's how reachability analysis and automation manage that risk at scale.
What is Dependency Management
Dependency management means tracking, scanning, and patching the open source packages your app relies on -- here's how it works and why it matters.
Best Practices for npm Lockfile Security 2026
Your package-lock.json is a supply chain control, not build noise. Six habits — npm ci, script blocking, lockfile linting, provenance checks — that stop most npm attacks cold.
Supply Chain Vulnerability Protection: A Checklist
A working checklist for supply chain vulnerability protection, from dependency inventory through SBOM generation and continuous re-scanning, built for teams shipping today.