Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1053 articles

Open Source Security

Pinning Python dependencies: requirements.txt vs Poetry a...

A practical guide to python dependency pinning with requirements.txt, pip-tools, and Poetry — locked, hash-verified builds instead of moving-target dependencies.

Jan 27, 20268 min read
Open Source Security

Auditing Python dependencies with pip-audit and Safety

A hands-on pip-audit tutorial covering Python dependency scanning, Safety CLI comparisons, and a workflow for catching PyPI vulnerabilities before release.

Jan 27, 20267 min read
Open Source Security

Auditing Rails applications' Gemfile for vulnerable depen...

A practical guide to auditing your Rails Gemfile and Gemfile.lock for vulnerable dependencies using bundler-audit, from triage through CI automation.

Jan 26, 20268 min read
Regulatory Compliance

FastAPI and Pydantic dependency injection security pitfalls

FastAPI's Depends() and Pydantic's type validation look airtight but hide real bypass patterns — caching bugs, extra="allow" mass assignment, and leaked test overrides.

Jan 26, 20267 min read
Industry Analysis

Async Python request smuggling risks in Starlette and Uvi...

Starlette request smuggling exploits parsing gaps between proxies and Uvicorn/h11. Learn the CL.TE mechanics, a real CVE, and how Safeguard closes the gap.

Jan 25, 20268 min read
Open Source Security

PyPI malware campaigns targeting machine learning and dat...

PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.

Jan 25, 20269 min read
Open Source Security

npm supply chain attacks via malicious postinstall scripts

How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.

Jan 25, 20267 min read
Industry Analysis

State of Software Supply Chain Security 2026

A senior-engineer view of where software supply chain security stands in 2026: what's changed, what's stuck, and where budgets, regulations, and attacker tactics converge.

Jan 25, 20269 min read
AI Security

AI Cybersecurity Glossary: Key Machine Learning & Security Terms

A defender's glossary of AI security terms — prompt injection, model poisoning, AI-BOM, adversarial ML — with dated, real-world incidents behind each one.

Jan 24, 20268 min read
Open Source Security

package-lock.json integrity checks and the npm audit work...

A step-by-step guide to verifying package-lock.json integrity, running npm audit correctly, and scanning Node.js dependencies for tampering and vulnerabilities.

Jan 24, 20268 min read
Industry Analysis

Prototype pollution vulnerabilities in Node.js and NestJS...

How prototype pollution reaches NestJS apps through lodash, qs, tough-cookie, and dotenv-expand — and how Safeguard catches it before it merges.

Jan 24, 20267 min read
Open Source Security

npm dependency confusion attacks against private package ...

How npm dependency confusion lets attackers hijack internal package names on public registries — and why private npm registry security gaps still leave teams exposed.

Jan 23, 20267 min read
supply-chain-security (Page 49) — Safeguard Blog