nuget
Safeguard articles tagged "nuget" — guides, analysis, and best practices for software supply chain and application security.
20 articles
The Moq NuGet incident: how a mocking library harvested developer emails
In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.
.NET Dependency Vulnerability Scanning: A Practical Guide
How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.
Scanning NuGet Packages for Vulnerabilities in .NET
The .NET SDK ships a built-in vulnerability scanner: dotnet list package --vulnerable. Here is how to audit NuGet dependencies with it — and where to go beyond it.
NuGet Supply Chain Security: Protecting Your .NET Dependencies
How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.
NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap
NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.
NuGet Package Signing Status in 2026
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
NuGet Package Manager Tampering / Spoofing Vulnerability ...
CVE-2019-0757 lets an authenticated attacker tamper with NuGet package contents on Linux/Mac. CVSS 6.5. Affected versions, timeline, and fixes inside.
Securing the .NET NuGet Supply Chain
Package source mapping, packages.lock.json, NuGetAudit and signature verification — .NET ships more built-in supply chain controls than any other ecosystem. Most teams enable none of them.
How Snyk scans NuGet and .NET project files for vulnerabl...
How Snyk resolves NuGet and .NET dependency graphs from csproj, packages.config, and project.assets.json files to find vulnerable packages.
NuGet Signed Packages Verification
NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.
dotnet restore Reproducibility Concerns
dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.
NuGet Package Vulnerabilities Dashboard
Listing every CVE in your NuGet dependency tree is easy. Turning it into a dashboard someone can act on is the work. A practical design.