Safeguard
Tag

package-managers

Safeguard articles tagged "package-managers" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Open Source Security

How Snyk identifies dependency confusion attacks in priva...

A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.

Aug 25, 20257 min read
Open Source Security

Dependency Confusion Attacks Five Years Later: Are Enterp...

Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.

Aug 2, 20256 min read
Dev Practices

What Are Dependencies in Software?

A plain-English definition of software dependencies, how direct and transitive dependencies differ, and why most projects ship far more third-party code than code their own team wrote.

Mar 14, 20246 min read
Software Supply Chain Security

Post-Install Hooks Across Package Managers: A Comparative Security Analysis

Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.

Dec 10, 20235 min read
Software Supply Chain Security

Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism

Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.

Apr 8, 20234 min read
Software Supply Chain Security

Symlink Attacks in Package Managers: Following Links to Trouble

Symbolic links in package archives can redirect file operations to unintended locations. Here is how this old trick still works against modern tools.

Jan 8, 20234 min read
Supply Chain Security

Package Manager Security: npm, pip, and Maven Compared

Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.

Oct 8, 20228 min read
Software Supply Chain Security

Path Traversal in Dependency Installation: Writing Files Where They Should Not Go

Package archives can contain path traversal sequences that write files outside the expected directory. Most developers never check for this.

Sep 8, 20224 min read
package-managers (Page 2) — Safeguard Blog