package-managers
Safeguard articles tagged "package-managers" — guides, analysis, and best practices for software supply chain and application security.
20 articles
How Snyk identifies dependency confusion attacks in priva...
A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.
Dependency Confusion Attacks Five Years Later: Are Enterp...
Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.
What Are Dependencies in Software?
A plain-English definition of software dependencies, how direct and transitive dependencies differ, and why most projects ship far more third-party code than code their own team wrote.
Post-Install Hooks Across Package Managers: A Comparative Security Analysis
Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.
Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism
Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.
Symlink Attacks in Package Managers: Following Links to Trouble
Symbolic links in package archives can redirect file operations to unintended locations. Here is how this old trick still works against modern tools.
Package Manager Security: npm, pip, and Maven Compared
Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.
Path Traversal in Dependency Installation: Writing Files Where They Should Not Go
Package archives can contain path traversal sequences that write files outside the expected directory. Most developers never check for this.