dependency-management
Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.
129 articles
Runbooks for Dependency Disclosure Events
Detailed runbooks for responding to dependency CVE disclosures across languages and ecosystems, with roles, commands, and timelines tuned for automation.
Vendoring Dependencies: When It Helps and When It Hurts Security
Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.
jQuery 3.6.0 Vulnerabilities: What Is Actually Exploitable
Scanners keep flagging jQuery 3.6.0 as vulnerable — but jQuery core in that version has no known direct CVEs. Here is what the alerts really mean and where the exploitable risk actually lives.
npm Vulnerabilities: Detection, Triage, and Fix Workflow
Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.
When to Fork an Abandoned Dependency
Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.
Node.js Backend Security Checklist
A working checklist for securing a Node.js backend: dependency hygiene, input validation, secrets, HTTP headers, and the CI gates that keep regressions out.
Go Module Security: sumdb, GOPROXY and Private Modules
How Go's checksum database actually protects you, where GOPROXY ordering bites, and the GOPRIVATE mistakes that leak internal module paths to public infrastructure.
Lodash 4.17.21: The Security History Behind the Version Bump
Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.
What is a Package Registry Mirror
A package registry mirror is a local copy or caching proxy of a public registry. It keeps builds running when npm is down — and controls what enters your supply chain.
EHR System Dependency Governance
Electronic Health Record platforms carry decades of transitive dependencies. A practical governance model for hospitals, vendors, and compliance officers.
Rust Crate Security: cargo audit, cargo vet and Beyond
cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.
Cross-Platform App Supply Chain Risks You Cannot Ignore
Cross-platform frameworks multiply supply chain attack surfaces by combining multiple dependency ecosystems. Understanding these compounded risks is essential for modern mobile and desktop security.