dependency-security
Safeguard articles tagged "dependency-security" — guides, analysis, and best practices for software supply chain and application security.
51 articles
Typosquatting in the Go module ecosystem
Typosquatting is surging across the Go module ecosystem, exploiting decentralized import paths and an immutable checksum database that makes takedowns nearly meaningless.
Known Vulnerabilities in Dependencies: Detection and Triage
Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.
Unapproved Change Risk in the Software Supply Chain
How unreviewed code, dependency, and pipeline changes create supply chain breaches like SolarWinds and XZ Utils - and how to detect them before attackers do.
CVE-2020-7676: XSS in vue-template-compiler
CVE-2020-7676 is an XSS flaw in vue-template-compiler (pre-2.6.12) that lets attacker-controlled templates bypass URI sanitization. Impact, fix, and remediation.
CVE-2023-32681: requests leaks Proxy-Authorization on red...
A malicious proxy could capture Proxy-Authorization credentials from Python's requests library when redirects crossed to HTTPS, before v2.31.0.
Monorepo vs Polyrepo: How Architecture Choices Shape Supp...
Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.
Hallucinated Dependencies: How AI Models Invent Package N...
AI coding assistants regularly invent package names that don't exist — and attackers are registering them first. Here's how slopsquatting works and how to defend against it.
Post-Install Scripts: The Overlooked Execution Point Atta...
Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.
Protestware and Sabotage: When Maintainers Turn Against T...
Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.
Dart/Flutter Dependency Security: Securing the Mobile Supply Chain
Flutter's pub ecosystem is growing fast. The security tooling has not kept pace. Here is what you need to know about securing Dart dependencies.
Socket.dev: Detecting Supply Chain Attacks Before They Hit
A review of Socket.dev's approach to supply chain security, focusing on behavior analysis of npm packages, install script detection, and typosquatting prevention.
Stripe's Dependency Security Practices
How Stripe secures its software dependencies while processing billions of dollars in payments, with a focus on Ruby ecosystem hardening and dependency isolation.