Safeguard
Tag

package-management

Safeguard articles tagged "package-management" — guides, analysis, and best practices for software supply chain and application security.

12 articles

Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Software Supply Chain Security

What is Dependency Confusion

Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.

Apr 4, 20266 min read
Software Supply Chain Security

What is a Private Package Registry

A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.

Feb 4, 20266 min read
Open Source Security

npm dependency confusion attacks against private package ...

How npm dependency confusion lets attackers hijack internal package names on public registries — and why private npm registry security gaps still leave teams exposed.

Jan 23, 20267 min read
Open Source Security

Reconstructing a Real-World Dependency Confusion Incident...

A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.

Jul 31, 20257 min read
Open Source Security

Poetry and Python Supply Chain Security

Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.

Feb 22, 20246 min read
Open Source Security

npm Registry Governance and the Security of node_modules

The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.

Jan 8, 20247 min read
Open Source Security

Pipenv Security Posture Review

Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.

Aug 30, 20236 min read
Open Source Security

npm Tightens Unpublish Rules: What It Means for Supply Chain Security

npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.

Aug 1, 20235 min read
Analysis

Dependency Pinning vs. Ranges: The Tradeoffs

Should you pin exact dependency versions or use ranges? The answer is more nuanced than most teams think, and getting it wrong has real security implications.

Jan 25, 20236 min read
Open Source Security

npm Registry Security Gets Serious: 2022's Major Improvements

From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.

Oct 1, 20226 min read
Best Practices

Why Dependency Pinning Alone Is Not Enough

Pinning dependencies feels like a complete answer to supply chain risk. It is not — and the gap between pinning and real integrity matters more in 2022 than ever.

May 17, 20226 min read
package-management — Safeguard Blog