Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Software Supply Chain Security

Untracked Dependencies in the Software Supply Chain

Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.

Nov 3, 20257 min read
Open Source Security

Immature Open Source Projects as a Supply Chain Risk

xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.

Nov 3, 20257 min read
Open Source Security

Under/Oversized Dependency Risk in Modern Applications

Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.

Nov 2, 20257 min read
Concepts

What Is OSV (Open Source Vulnerabilities)?

OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.

Oct 21, 20256 min read
Concepts

What Is Semantic Versioning?

Semantic versioning encodes the meaning of a release into its version number. Here is how MAJOR.MINOR.PATCH works and why it drives both dependency resolution and security triage.

Sep 9, 20256 min read
Open Source Security

How Snyk Container detects application-level dependencies...

A mechanical look at how Snyk Container scans image filesystems to detect npm, pip, Maven, and other application dependencies bundled inside containers.

Sep 6, 20257 min read
Open Source Security

How Snyk Container prioritizes OS package vulnerabilities...

A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.

Sep 5, 20258 min read
Open Source Security

How Snyk Container parses apk, deb, and rpm package datab...

How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.

Sep 4, 20257 min read
Open Source Security

How Snyk Open Source builds a full dependency tree from p...

How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.

Aug 30, 20258 min read
Open Source Security

How Snyk parses npm, yarn, and pnpm lockfiles differently...

How Snyk resolves exact package versions from npm, Yarn, and pnpm lockfiles — and why each format's structure demands its own parsing logic.

Aug 30, 20257 min read
Open Source Security

How Snyk resolves Maven and Gradle dependency graphs incl...

Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.

Aug 30, 20257 min read
Open Source Security

How Snyk handles Python dependency resolution across pip,...

How Snyk resolves Python dependency trees differently for pip, Poetry, and Pipenv, and what that means for vulnerability scan accuracy.

Aug 29, 20257 min read
open-source-security (Page 21) — Safeguard Blog