Safeguard
Tag

package-managers

Safeguard articles tagged "package-managers" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Buyer's Guides

SCA language and package manager coverage comparison

See how Safeguard and Black Duck differ on SCA language and package manager coverage, detection methodology, and transitive dependency depth.

Jun 14, 20267 min read
Open Source Security

Composer/PHP Package Supply Chain in 2026

PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.

Mar 5, 20268 min read
Open Source Security

JSR/Deno Package Ecosystem Supply Chain

JSR is the first mainstream package registry designed with supply chain security as a founding constraint. Here is what it gets right and what it has not solved yet.

Feb 28, 20267 min read
Open Source Security

pnpm and Yarn Modern Lockfile Security

pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.

Feb 24, 20267 min read
Open Source Security

cargo-audit and cargo-deny: A Real Workflow

A senior-engineer-grade workflow for using cargo-audit and cargo-deny together, with realistic policy decisions and the mistakes teams repeat.

Feb 20, 20267 min read
Open Source Security

NuGet Package Signing Status in 2026

NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.

Feb 17, 20267 min read
Open Source Security

Maven Central Sigstore Migration Status

Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.

Feb 12, 20267 min read
Open Source Security

Go Module Checksum Database In Depth

The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.

Feb 7, 20266 min read
Open Source Security

Rust crates.io Supply Chain Controls in 2026

crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.

Feb 2, 20266 min read
Open Source Security

PyPI Trusted Publishing Common Pitfalls

PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.

Jan 28, 20267 min read
Open Source Security

npm Provenance Statements in Practice (2026)

A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.

Jan 22, 20266 min read
Open Source Security

How Snyk Container parses apk, deb, and rpm package datab...

How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.

Sep 4, 20257 min read
package-managers — Safeguard Blog