Tag
registry-policy
Safeguard articles tagged "registry-policy" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Supply Chain
Inside PyPI Project Quarantine: How the Reversible Takedown Workflow Has Performed Since Launch
PyPI's Project Quarantine status, introduced in August 2024 and used roughly 140 times in its first year, replaces irreversible deletions with a reversible hidden state. Here is how the workflow operates and how to consume the signal.
Feb 4, 20266 min read
Open Source Security
npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry
After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.
Jan 22, 20266 min read