open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Common Go module vulnerability patterns and how govulncheck helps
Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.
The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection
Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.
Top open-source vulnerabilities in the npm ecosystem
Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.
Contributing to open source securely: a guide for new maintainers and PR authors
It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.
Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI
Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.
Anatomy of a Software Supply-Chain Worm: A Post-Mortem Framework
500+ npm packages backdoored in days, then 796 more two months later. A repeatable post-mortem framework for self-propagating open-source worms.
The 4 dimensions of open-source dependency risk
Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.
What the curl CVE disclosures teach about patching embedded C libraries
curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.
Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs
Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.
Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard
Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.
How Attackers Clone GitHub Repos to Ship Malware
One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.
The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk
In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.