lockfiles
Safeguard articles tagged "lockfiles" — guides, analysis, and best practices for software supply chain and application security.
13 articles
Typosquatting and dependency confusion: a defense guide
In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.
Dependency Management for Beginners: Keeping Your Borrowed Code Healthy
Most of your application is packages other people wrote. Dependency management is the everyday craft of choosing them well, updating them safely, and keeping them from becoming a liability. Here is a friendly guide with a first step to try today.
Dependency confusion and npm supply-chain hardening
One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.
Dependency Management: Frequently Asked Questions
A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.
Ruby Gems Security: Signing, Yanking and Trusted Publishing
Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.
pnpm and Yarn Modern Lockfile Security
pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.
Terraform Module Supply Chain Security
The dependency lockfile everyone commits only covers providers — your modules float free. Pinning, provenance, and the code-execution paths hiding inside terraform plan.
Securing the .NET NuGet Supply Chain
Package source mapping, packages.lock.json, NuGetAudit and signature verification — .NET ships more built-in supply chain controls than any other ecosystem. Most teams enable none of them.
How Snyk Open Source builds a full dependency tree from p...
How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.
npm Vulnerabilities: Detection, Triage, and Fix Workflow
Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.
What is Dependency Pinning
Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.
PHP Composer Security: Lockfiles, Packagist and Abandoned Packages
composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.