supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1053 articles
Pinning Python dependencies: requirements.txt vs Poetry a...
A practical guide to python dependency pinning with requirements.txt, pip-tools, and Poetry — locked, hash-verified builds instead of moving-target dependencies.
Auditing Python dependencies with pip-audit and Safety
A hands-on pip-audit tutorial covering Python dependency scanning, Safety CLI comparisons, and a workflow for catching PyPI vulnerabilities before release.
Auditing Rails applications' Gemfile for vulnerable depen...
A practical guide to auditing your Rails Gemfile and Gemfile.lock for vulnerable dependencies using bundler-audit, from triage through CI automation.
FastAPI and Pydantic dependency injection security pitfalls
FastAPI's Depends() and Pydantic's type validation look airtight but hide real bypass patterns — caching bugs, extra="allow" mass assignment, and leaked test overrides.
Async Python request smuggling risks in Starlette and Uvi...
Starlette request smuggling exploits parsing gaps between proxies and Uvicorn/h11. Learn the CL.TE mechanics, a real CVE, and how Safeguard closes the gap.
PyPI malware campaigns targeting machine learning and dat...
PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.
npm supply chain attacks via malicious postinstall scripts
How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.
State of Software Supply Chain Security 2026
A senior-engineer view of where software supply chain security stands in 2026: what's changed, what's stuck, and where budgets, regulations, and attacker tactics converge.
AI Cybersecurity Glossary: Key Machine Learning & Security Terms
A defender's glossary of AI security terms — prompt injection, model poisoning, AI-BOM, adversarial ML — with dated, real-world incidents behind each one.
package-lock.json integrity checks and the npm audit work...
A step-by-step guide to verifying package-lock.json integrity, running npm audit correctly, and scanning Node.js dependencies for tampering and vulnerabilities.
Prototype pollution vulnerabilities in Node.js and NestJS...
How prototype pollution reaches NestJS apps through lodash, qs, tough-cookie, and dotenv-expand — and how Safeguard catches it before it merges.
npm dependency confusion attacks against private package ...
How npm dependency confusion lets attackers hijack internal package names on public registries — and why private npm registry security gaps still leave teams exposed.