dependency-security
Safeguard articles tagged "dependency-security" — guides, analysis, and best practices for software supply chain and application security.
51 articles
AppSec anti-patterns to eliminate
23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.
Can AI-Generated Code Be Trusted? A Security Review
A 2025 USENIX study found LLMs hallucinate nonexistent packages in up to 21.7% of code samples — and attackers are already registering the names.
Contributing to open source securely: a guide for new maintainers and PR authors
It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.
A Checklist for Reviewing AI-Generated Code Before It Merges
19.7% of packages LLMs recommend don't exist in real registries, per a 576,000-sample USENIX 2025 study — here's what to check before merging AI-written code.
The State of Open Source Security: What a Year of Disclosure Data Shows
454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.
A dormant contributor account just took down the entire Mastra npm scope
One forgotten npm maintainer account let an attacker republish all 142 packages in the @mastra scope in 90 minutes, hitting a package with 4 million monthly downloads.
ua-parser-js npm hijack incident
In 2021, a hijacked npm account pushed cryptomining and password-stealing malware into ua-parser-js for 4 hours. Here's what happened and how to catch it faster.
A forgotten contributor account compromised the Mastra npm scope
A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.
Preventing malicious packages with automated detection
Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.
AI hallucinations and their security implications for developers
LLMs hallucinate nonexistent packages in up to 1 in 5 code samples — and slopsquatting attacks are already exploiting that predictability in the wild.
Comparing Node.js frameworks for security: Express, Fastify, NestJS
Express, Fastify, and NestJS compared on real CVE history, default security posture, and dependency risk — plus how to close the gaps framework choice alone can't.
Using Python libraries for secure network communication
A look at requests, urllib3, cryptography, and paramiko: real CVEs (Terrapin, header leaks), insecure defaults, and how to pin them safely.