Tag
package-publishing
Safeguard articles tagged "package-publishing" — guides, analysis, and best practices for software supply chain and application security.
3 articles
DevSecOps
Why Automated Package Publishing Pipelines Are a Growing ...
From tj-actions to xz utils, attackers are hijacking CI/CD pipelines to poison packages at the source. Here's why publishing pipelines are the new frontline.
Jul 30, 20257 min read
Concepts
What is a Trusted Publisher (PyPI and npm)
A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.
May 21, 20257 min read
Software Supply Chain Security
Secure Package Publishing Checklist for Open Source Maintainers
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
Aug 28, 20237 min read