package-management
Safeguard articles tagged "package-management" — guides, analysis, and best practices for software supply chain and application security.
12 articles
Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard
Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.
What is Dependency Confusion
Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.
What is a Private Package Registry
A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.
npm dependency confusion attacks against private package ...
How npm dependency confusion lets attackers hijack internal package names on public registries — and why private npm registry security gaps still leave teams exposed.
Reconstructing a Real-World Dependency Confusion Incident...
A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.
Poetry and Python Supply Chain Security
Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.
npm Registry Governance and the Security of node_modules
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Pipenv Security Posture Review
Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.
npm Tightens Unpublish Rules: What It Means for Supply Chain Security
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
Dependency Pinning vs. Ranges: The Tradeoffs
Should you pin exact dependency versions or use ranges? The answer is more nuanced than most teams think, and getting it wrong has real security implications.
npm Registry Security Gets Serious: 2022's Major Improvements
From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.
Why Dependency Pinning Alone Is Not Enough
Pinning dependencies feels like a complete answer to supply chain risk. It is not — and the gap between pinning and real integrity matters more in 2022 than ever.