package-managers
Safeguard articles tagged "package-managers" — guides, analysis, and best practices for software supply chain and application security.
20 articles
SCA language and package manager coverage comparison
See how Safeguard and Black Duck differ on SCA language and package manager coverage, detection methodology, and transitive dependency depth.
Composer/PHP Package Supply Chain in 2026
PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.
JSR/Deno Package Ecosystem Supply Chain
JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what it gets right and what it has not solved yet.
pnpm and Yarn Modern Lockfile Security
pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.
cargo-audit and cargo-deny: A Real Workflow
A senior-engineer-grade workflow for using cargo-audit and cargo-deny together, with realistic policy decisions and the mistakes teams repeat.
NuGet Package Signing Status in 2026
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
Maven Central Sigstore Migration Status
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
Go Module Checksum Database In Depth
The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.
Rust crates.io Supply Chain Controls in 2026
crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.
PyPI Trusted Publishing Common Pitfalls
PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.
npm Provenance Statements in Practice (2026)
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
How Snyk Container parses apk, deb, and rpm package datab...
How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.