dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
How to Fix a Vulnerable Transitive Dependency in npm
The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.
CVE-2020-11022: XSS in jQuery via htmlPrefilter
CVE-2020-11022 lets attacker-controlled HTML bypass sanitization via jQuery's htmlPrefilter, enabling XSS in versions before 3.5.0. Impact, timeline, and fixes.
SCA vs Static Code Analysis: The Real Difference
Software composition analysis and static code analysis get lumped together constantly, but they read entirely different things and catch entirely different bugs.
What Is Semantic Versioning?
Semantic versioning encodes the meaning of a release into its version number. Here is how MAJOR.MINOR.PATCH works and why it drives both dependency resolution and security triage.
How Snyk Open Source scans Go modules and resolves the Go...
How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.
How Snyk decides whether an automatic PR proposes a minor...
A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.
How Snyk patches remediate vulnerabilities that have no a...
How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.
How snyk monitor creates and tracks a point-in-time proje...
A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.
What Is a Transitive Dependency?
A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.
How Snyk detects deprecated or unmaintained packages befo...
A look at how Snyk Advisor scores package maintenance health and surfaces deprecated or abandoned dependencies before they turn into security incidents.
How Snyk handles vulnerability remediation for indirect (...
How does Snyk fix vulnerabilities buried in transitive dependencies you never directly installed? A look at dependency graphs, upgrade paths, and pinning.
The .snyk Ignore File: How It Actually Works
Snyk ignore rules let teams suppress a finding without deleting it from history — here's how the .snyk file's syntax, expiry, and reason fields actually work in practice.