Safeguard
Tag

dependency-risk

Safeguard articles tagged "dependency-risk" — guides, analysis, and best practices for software supply chain and application security.

11 articles

Buyer's Guides

Checkmarx vs Snyk: which AppSec platform fits your stack

Checkmarx vs Snyk searches usually miss the real question: does your AppSec stack cover source code, or the full build-to-deploy supply chain? Here's how to check.

Jun 27, 20268 min read
Open Source Security

5 risks of using open source software

Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.

May 9, 20267 min read
Research

Abandoned Dependency Risk Study

The Safeguard Research team measured how much abandonment exists in real dependency graphs, how it correlates with risk, and what to do about it.

Feb 5, 20267 min read
AI Security

How slopsquatting exploits AI-hallucinated package names

Slopsquatting attacks turn AI-hallucinated package names into real supply chain threats. Here's how it works, the numbers behind it, and how Safeguard stops it.

Dec 14, 20257 min read
Open Source Security

Unmaintained Open Source Software: A Supply Chain Risk

Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.

Nov 3, 20257 min read
Open Source Security

How Snyk Advisor's package health score weighs popularity...

Snyk Advisor scores packages 0-100 using four signals: popularity, maintenance, community, and security. Here is exactly how each one is calculated.

Aug 25, 20257 min read
Open Source Security

The Long Tail of Abandoned Open Source Projects and Enter...

Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.

Aug 12, 20257 min read
Open Source Security

The Economics of Free Riding in Open Source Security

Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.

Aug 10, 20258 min read
Open Source Security

Security Training Gaps Among Solo Maintainers of High-Imp...

xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.

Jul 26, 20257 min read
Open Source Security

Measuring Project Health: Bus Factor, Commit Velocity, an...

Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.

Jul 25, 20259 min read
Software Supply Chain Security

Abandoned Package Takeover: When Maintainers Walk Away

Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.

Mar 5, 20245 min read
dependency-risk — Safeguard Blog