Safeguard
Tag

lockfiles

Safeguard articles tagged "lockfiles" — guides, analysis, and best practices for software supply chain and application security.

13 articles

Supply Chain Attacks

Typosquatting and dependency confusion: a defense guide

In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.

Jul 14, 20266 min read
Guides

Dependency Management for Beginners: Keeping Your Borrowed Code Healthy

Most of your application is packages other people wrote. Dependency management is the everyday craft of choosing them well, updating them safely, and keeping them from becoming a liability. Here is a friendly guide with a first step to try today.

Jul 8, 20266 min read
Supply Chain Security

Dependency confusion and npm supply-chain hardening

One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.

Jul 8, 20267 min read
FAQ

Dependency Management: Frequently Asked Questions

A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.

Jul 4, 20266 min read
Engineering

Ruby Gems Security: Signing, Yanking and Trusted Publishing

Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.

Mar 20, 20266 min read
Open Source Security

pnpm and Yarn Modern Lockfile Security

pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.

Feb 24, 20267 min read
Engineering

Terraform Module Supply Chain Security

The dependency lockfile everyone commits only covers providers — your modules float free. Pinning, provenance, and the code-execution paths hiding inside terraform plan.

Dec 18, 20256 min read
Engineering

Securing the .NET NuGet Supply Chain

Package source mapping, packages.lock.json, NuGetAudit and signature verification — .NET ships more built-in supply chain controls than any other ecosystem. Most teams enable none of them.

Nov 24, 20256 min read
Open Source Security

How Snyk Open Source builds a full dependency tree from p...

How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.

Aug 30, 20258 min read
Supply Chain

npm Vulnerabilities: Detection, Triage, and Fix Workflow

Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.

Mar 18, 20256 min read
Concepts

What is Dependency Pinning

Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.

Oct 8, 20246 min read
Engineering

PHP Composer Security: Lockfiles, Packagist and Abandoned Packages

composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.

Apr 18, 20246 min read
lockfiles — Safeguard Blog