dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
CocoaPods supply chain security and Podfile.lock integrit...
A 2024 CocoaPods Trunk server flaw let attackers hijack orphaned pods and exposed a deeper gap: Podfile.lock never verified dependency integrity in the first place.
Swift Package Manager dependency resolution and pinning s...
SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.
Next-Generation Software Composition Analysis: Beyond Dependency Lists
Traditional SCA tools tell you what's in your software. Next-gen SCA tells you what matters. Here's how the category is evolving.
Maven and Gradle dependency supply chain attacks in the J...
How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.
npm registry package hijacking incidents (CVE-2015-8858 era)
CVE-2015-8858 anchors a broader era of npm registry package hijacking — tar-extraction path traversal, left-pad, and weak account security explained.
Compromised maintainer accounts on npm
Recent npm maintainer account takeovers show how a single stolen credential can compromise billions of downloads. Here's the anatomy of the threat—and the defense.
Composer package vulnerability trends report
Composer package vulnerabilities rose 34% YoY, with 60%+ arriving via transitive dependencies. Safeguard breaks down the trends and what security teams should do.
Best dependency update automation tools
A practical buyer's guide to dependency update automation tools -- what to evaluate, and how Dependabot, Renovate, Snyk, Socket, and others really compare.
Untracked Dependencies in the Software Supply Chain
Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.
Immature Open Source Projects as a Supply Chain Risk
xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.
Under/Oversized Dependency Risk in Modern Applications
Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.
The Complete Guide to Dependency Lifecycle Management
Dependencies are not static. They are born, maintained, deprecated, and abandoned. Here is how to manage the full lifecycle of your software dependencies.