Safeguard
Tag

dependency-security

Safeguard articles tagged "dependency-security" — guides, analysis, and best practices for software supply chain and application security.

51 articles

Open Source Security

Typosquatting in the Go module ecosystem

Typosquatting is surging across the Go module ecosystem, exploiting decentralized import paths and an immutable checksum database that makes takedowns nearly meaningless.

Nov 20, 20257 min read
Software Supply Chain Security

Known Vulnerabilities in Dependencies: Detection and Triage

Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.

Nov 4, 20258 min read
Software Supply Chain Security

Unapproved Change Risk in the Software Supply Chain

How unreviewed code, dependency, and pipeline changes create supply chain breaches like SolarWinds and XZ Utils - and how to detect them before attackers do.

Nov 2, 20258 min read
Vulnerability Analysis

CVE-2020-7676: XSS in vue-template-compiler

CVE-2020-7676 is an XSS flaw in vue-template-compiler (pre-2.6.12) that lets attacker-controlled templates bypass URI sanitization. Impact, fix, and remediation.

Oct 10, 20257 min read
Vulnerability Analysis

CVE-2023-32681: requests leaks Proxy-Authorization on red...

A malicious proxy could capture Proxy-Authorization credentials from Python's requests library when redirects crossed to HTTPS, before v2.31.0.

Oct 7, 20258 min read
Open Source Security

Monorepo vs Polyrepo: How Architecture Choices Shape Supp...

Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.

Aug 11, 20257 min read
Open Source Security

Hallucinated Dependencies: How AI Models Invent Package N...

AI coding assistants regularly invent package names that don't exist — and attackers are registering them first. Here's how slopsquatting works and how to defend against it.

Aug 7, 20257 min read
Open Source Security

Post-Install Scripts: The Overlooked Execution Point Atta...

Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.

Aug 1, 20258 min read
Open Source Security

Protestware and Sabotage: When Maintainers Turn Against T...

Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.

Aug 1, 20257 min read
Software Supply Chain Security

Dart/Flutter Dependency Security: Securing the Mobile Supply Chain

Flutter's pub ecosystem is growing fast. The security tooling has not kept pace. Here is what you need to know about securing Dart dependencies.

Sep 12, 20235 min read
Tool Reviews

Socket.dev: Detecting Supply Chain Attacks Before They Hit

A review of Socket.dev's approach to supply chain security, focusing on behavior analysis of npm packages, install script detection, and typosquatting prevention.

Aug 22, 20235 min read
Case Studies

Stripe's Dependency Security Practices

How Stripe secures its software dependencies while processing billions of dollars in payments, with a focus on Ruby ecosystem hardening and dependency isolation.

Jul 12, 20237 min read
dependency-security (Page 4) — Safeguard Blog