dependency-pinning
Safeguard articles tagged "dependency-pinning" — guides, analysis, and best practices for software supply chain and application security.
6 articles
The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning
In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.
Hardening CI/CD Against a Compromised Upstream Registry
The Sept 2025 npm attack hit packages with 2B weekly downloads in 2 hours. Pinning, lockfile checks, and mirrors would have stopped it cold.
The npm worm incident response playbook
Shai-Hulud compromised 500+ npm packages by auto-publishing itself with stolen tokens. Here's a concrete detection, rotation, and pinning playbook.
Mix dependency management and mix.lock integrity in Elixi...
A practical guide to mix.lock integrity: pinning Elixir dependencies, verifying lockfile hashes, and preventing supply chain tampering in mix.exs projects.
Terraform Module Supply Chain Security
The dependency lockfile everyone commits only covers providers — your modules float free. Pinning, provenance, and the code-execution paths hiding inside terraform plan.
What is Dependency Pinning
Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.