Safeguard
Tag

dependency-management

Safeguard articles tagged "dependency-management" — guides, analysis, and best practices for software supply chain and application security.

129 articles

DevSecOps

Runbooks for Dependency Disclosure Events

Detailed runbooks for responding to dependency CVE disclosures across languages and ecosystems, with roles, commands, and timelines tuned for automation.

Jun 13, 20256 min read
Engineering

Vendoring Dependencies: When It Helps and When It Hurts Security

Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.

May 25, 20257 min read
Vulnerabilities

jQuery 3.6.0 Vulnerabilities: What Is Actually Exploitable

Scanners keep flagging jQuery 3.6.0 as vulnerable — but jQuery core in that version has no known direct CVEs. Here is what the alerts really mean and where the exploitable risk actually lives.

May 7, 20256 min read
Supply Chain

npm Vulnerabilities: Detection, Triage, and Fix Workflow

Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.

Mar 18, 20256 min read
Supply Chain

When to Fork an Abandoned Dependency

Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.

Mar 18, 20256 min read
Dev Practices

Node.js Backend Security Checklist

A working checklist for securing a Node.js backend: dependency hygiene, input validation, secrets, HTTP headers, and the CI gates that keep regressions out.

Mar 18, 20256 min read
Engineering

Go Module Security: sumdb, GOPROXY and Private Modules

How Go's checksum database actually protects you, where GOPROXY ordering bites, and the GOPRIVATE mistakes that leak internal module paths to public infrastructure.

Feb 27, 20257 min read
Vulnerabilities

Lodash 4.17.21: The Security History Behind the Version Bump

Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.

Feb 11, 20255 min read
Concepts

What is a Package Registry Mirror

A package registry mirror is a local copy or caching proxy of a public registry. It keeps builds running when npm is down — and controls what enters your supply chain.

Dec 17, 20246 min read
Best Practices

EHR System Dependency Governance

Electronic Health Record platforms carry decades of transitive dependencies. A practical governance model for hospitals, vendors, and compliance officers.

Oct 28, 20246 min read
Engineering

Rust Crate Security: cargo audit, cargo vet and Beyond

cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.

Sep 20, 20246 min read
Software Supply Chain Security

Cross-Platform App Supply Chain Risks You Cannot Ignore

Cross-platform frameworks multiply supply chain attack surfaces by combining multiple dependency ecosystems. Understanding these compounded risks is essential for modern mobile and desktop security.

Sep 5, 20247 min read
dependency-management (Page 9) — Safeguard Blog