Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

129 articles

Open Source Security

What a Decade of Open Source Vulnerability Data Tells Us ...

CVEs grew sixfold in a decade. Here is what a decade of open source vulnerability trends reveals about ecosystem maturity, from Log4Shell to the xz backdoor.

Aug 11, 20258 min read
Open Source Security

Direct vs Transitive Vulnerabilities: Why the Distinction...

Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.

Aug 11, 20258 min read
Open Source Security

How Package Manager Design Choices Influence Supply Chain...

npm, PyPI, RubyGems, Go, and Cargo each made different design bets on install scripts, namespacing, and signing — and those bets directly shape supply chain attack surface.

Aug 11, 20258 min read
Concepts

What Is a Lockfile?

A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.

Aug 5, 20255 min read
Open Source Security

Corporate Dependence on Volunteer-Maintained Projects: A ...

Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.

Jul 27, 20257 min read
Open Source Security

What Would It Actually Cost Companies to Fund Their Criti...

Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.

Jul 27, 20257 min read
Open Source Security

Succession Planning for Open Source Projects: Why It Rare...

Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.

Jul 26, 20257 min read
Product

Why Security Debt Accumulates Fastest in the Most 'Produc...

High-velocity engineering teams accumulate the most security debt, not the least. Here's why speed hides risk — and how to catch it without slowing down.

Jul 23, 20257 min read
Supply Chain

SCA Security Testing: A Workflow Guide

SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.

Jul 21, 20255 min read
Concepts

What Is a Package Registry?

A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.

Jul 14, 20256 min read
Open Source Security

Building an Open Source Risk Intelligence Platform: Beyond Vulnerability Scanning

Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.

Jun 25, 20257 min read
Governance

Writing a Deprecation Policy for Third-Party Components

End-of-life libraries leave codebases only when something forces them out. A written component deprecation policy with triggers, timelines, and CI gates does the forcing on your schedule, not an attacker's.

Jun 24, 20255 min read
dependency-management (Page 8) — Safeguard Blog