Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

129 articles

Product

Safeguard Open Source Manager: A Deep Dive Into Dependency Governance

An inside look at Safeguard's Open Source Manager — how it tracks, evaluates, and enforces policies across every open-source dependency in your portfolio.

Mar 2, 20267 min read
AppSec

Securing Spring Security OAuth2 and JOSE Dependencies

spring-security-oauth2-jose sits at the center of many Java auth stacks, but the legacy project is deprecated and its JOSE/JWT dependencies carry their own patch history; here is how to assess and reduce the risk.

Feb 24, 20266 min read
Software Supply Chain Security

How to enable Dependabot version updates

A step-by-step guide to enabling Dependabot version updates on GitHub, including dependabot.yml configuration, scheduling, and verification checks.

Feb 21, 20267 min read
Supply Chain

Open Source Security Management: From Policy to Pipeline

A policy document nobody enforces is theater. Here is how to turn open source rules into pipeline checks that developers can live with.

Feb 12, 20265 min read
Vulnerability Analysis

The left-pad npm Incident Explained

No CVE, no CVSS — just one unpublished package that broke the internet's build pipelines. Here's what left-pad still teaches security teams.

Feb 9, 20268 min read
Open Source Security

What is a Package Manager

Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.

Feb 8, 20267 min read
Open Source Security

What is npm Security

A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.

Feb 8, 20268 min read
Open Source Security

What is Maven Security

Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.

Feb 8, 20267 min read
DevSecOps

What is a Monorepo

A monorepo houses many projects in one repository. Learn how Google, Meta, and Microsoft use them, and the blast-radius risks security teams must manage.

Feb 7, 20266 min read
Open Source Security

Scanning Go codebases for known vulnerabilities with govu...

A practical govulncheck tutorial for scanning Go codebases for known vulnerabilities, auditing dependencies, and wiring checks into your CI pipeline.

Feb 3, 20267 min read
Open Source Security

Hex.pm package registry security and Elixir supply chain ...

Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.

Feb 1, 20267 min read
DevSecOps

Renovate vs Dependabot: Enterprise Rollout Playbook for 2026

How to choose between Renovate and Dependabot for enterprise dependency automation in 2026, with rollout patterns, failure modes, and migration paths.

Jan 30, 20265 min read
dependency-management (Page 5) — Safeguard Blog