supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
767 articles
SLSA v1.1 Build Track: What Approved Means for Adopters
SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.
npm pack: How to Publish Without Leaking Secrets
npm pack builds the exact tarball that would be published to the registry. Using it before every publish is the simplest way to avoid shipping secrets.
Audio Processing Library Vulnerabilities: The Sound of Exploitation
Audio libraries parse complex binary formats in C code. They share the same vulnerability patterns as image and video codecs, with less security scrutiny.
Oracle Cloud Classic SSO Incident: rose87168 and the Legacy Endpoint Problem
In March 2025 an actor calling themselves rose87168 advertised six million Oracle Cloud SSO and LDAP records, and Oracle quietly acknowledged a breach of legacy infrastructure. We unpack what happened and what tenants should do.
Rust Supply Chain: cargo-vet Expansion in 2025
Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.
copy-webpack-plugin and terser-webpack-plugin: Build Pipeline Hygiene
The copy-webpack-plugin npm package and terser-webpack-plugin sit in almost every webpack build. Here's how to configure both without leaking files or shipping stale minifiers.
webpack-bundle-analyzer: Find Bloat and Risky Dependencies in Your Bundle
webpack bundle analyzer turns your build output into a zoomable treemap. Used well, it finds not just bloat but duplicated packages, surprise transitive dependencies, and code you never meant to ship.
Bounty Program Scoping for Dependencies
How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.
The MIT Licence Explained: What It Permits and Its Security Implications
The MIT licence is one of the most permissive open source licences in use, and understanding what it allows tells you a lot about the risk you inherit with a dependency.
Open Source Security Census 2025: Who Maintains the Code We All Depend On?
An analysis of the state of open-source security in 2025. Critical infrastructure runs on projects maintained by small, often unpaid teams. Here is what the data shows and why it matters.
Video Codec Supply Chain Risks: The Hidden Attack Surface in Media Libraries
Video codecs are some of the most complex code in your dependency tree. Their complexity and privileged execution make them prime supply chain targets.
AI Agent Frameworks: A Security Assessment of the New Autonomous Frontier
AI agents that can execute code, browse the web, and manage infrastructure are proliferating. The security implications of these autonomous frameworks demand scrutiny.