Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

129 articles

Supply Chain

How to Fix a Vulnerable Transitive Dependency in npm

The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.

Oct 21, 20256 min read
Vulnerability Analysis

CVE-2020-11022: XSS in jQuery via htmlPrefilter

CVE-2020-11022 lets attacker-controlled HTML bypass sanitization via jQuery's htmlPrefilter, enabling XSS in versions before 3.5.0. Impact, timeline, and fixes.

Oct 15, 20257 min read
Supply Chain

SCA vs Static Code Analysis: The Real Difference

Software composition analysis and static code analysis get lumped together constantly, but they read entirely different things and catch entirely different bugs.

Sep 15, 20256 min read
Concepts

What Is Semantic Versioning?

Semantic versioning encodes the meaning of a release into its version number. Here is how MAJOR.MINOR.PATCH works and why it drives both dependency resolution and security triage.

Sep 9, 20256 min read
Open Source Security

How Snyk Open Source scans Go modules and resolves the Go...

How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.

Aug 29, 20257 min read
Open Source Security

How Snyk decides whether an automatic PR proposes a minor...

A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.

Aug 28, 20257 min read
Open Source Security

How Snyk patches remediate vulnerabilities that have no a...

How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.

Aug 27, 20257 min read
Open Source Security

How snyk monitor creates and tracks a point-in-time proje...

A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.

Aug 27, 20257 min read
Concepts

What Is a Transitive Dependency?

A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.

Aug 26, 20255 min read
Open Source Security

How Snyk detects deprecated or unmaintained packages befo...

A look at how Snyk Advisor scores package maintenance health and surfaces deprecated or abandoned dependencies before they turn into security incidents.

Aug 24, 20257 min read
Open Source Security

How Snyk handles vulnerability remediation for indirect (...

How does Snyk fix vulnerabilities buried in transitive dependencies you never directly installed? A look at dependency graphs, upgrade paths, and pinning.

Aug 23, 20256 min read
Comparisons

The .snyk Ignore File: How It Actually Works

Snyk ignore rules let teams suppress a finding without deleting it from history — here's how the .snyk file's syntax, expiry, and reason fields actually work in practice.

Aug 22, 20255 min read
dependency-management (Page 7) — Safeguard Blog