Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

Common Go module vulnerability patterns and how govulncheck helps

Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.

Jul 14, 20266 min read
Open Source Security

The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection

Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.

Jul 14, 20266 min read
Open Source Security

Top open-source vulnerabilities in the npm ecosystem

Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.

Jul 14, 20267 min read
Open Source Security

Contributing to open source securely: a guide for new maintainers and PR authors

It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.

Jul 12, 20267 min read
Open Source Security

Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI

Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.

Jul 10, 20266 min read
Supply Chain Attacks

Anatomy of a Software Supply-Chain Worm: A Post-Mortem Framework

500+ npm packages backdoored in days, then 796 more two months later. A repeatable post-mortem framework for self-propagating open-source worms.

Jul 9, 20266 min read
Open Source Security

The 4 dimensions of open-source dependency risk

Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.

Jul 9, 20267 min read
Open Source Security

What the curl CVE disclosures teach about patching embedded C libraries

curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.

Jul 8, 20267 min read
Open Source Security

Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs

Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.

Jul 8, 20267 min read
Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Supply Chain Security

How Attackers Clone GitHub Repos to Ship Malware

One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.

Jul 8, 20267 min read
Open Source Security

The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk

In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.

Jul 8, 20266 min read
open-source-security — Safeguard Blog