dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
Safeguard Open Source Manager: A Deep Dive Into Dependency Governance
An inside look at Safeguard's Open Source Manager — how it tracks, evaluates, and enforces policies across every open-source dependency in your portfolio.
Securing Spring Security OAuth2 and JOSE Dependencies
spring-security-oauth2-jose sits at the center of many Java auth stacks, but the legacy project is deprecated and its JOSE/JWT dependencies carry their own patch history; here is how to assess and reduce the risk.
How to enable Dependabot version updates
A step-by-step guide to enabling Dependabot version updates on GitHub, including dependabot.yml configuration, scheduling, and verification checks.
Open Source Security Management: From Policy to Pipeline
A policy document nobody enforces is theater. Here is how to turn open source rules into pipeline checks that developers can live with.
The left-pad npm Incident Explained
No CVE, no CVSS — just one unpublished package that broke the internet's build pipelines. Here's what left-pad still teaches security teams.
What is a Package Manager
Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.
What is npm Security
A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.
What is Maven Security
Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.
What is a Monorepo
A monorepo houses many projects in one repository. Learn how Google, Meta, and Microsoft use them, and the blast-radius risks security teams must manage.
Scanning Go codebases for known vulnerabilities with govu...
A practical govulncheck tutorial for scanning Go codebases for known vulnerabilities, auditing dependencies, and wiring checks into your CI pipeline.
Hex.pm package registry security and Elixir supply chain ...
Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.
Renovate vs Dependabot: Enterprise Rollout Playbook for 2026
How to choose between Renovate and Dependabot for enterprise dependency automation in 2026, with rollout patterns, failure modes, and migration paths.