Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

767 articles

Frameworks

SLSA v1.1 Build Track: What Approved Means for Adopters

SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.

May 8, 20257 min read
Open Source

npm pack: How to Publish Without Leaking Secrets

npm pack builds the exact tarball that would be published to the registry. Using it before every publish is the simplest way to avoid shipping secrets.

May 6, 20255 min read
Vulnerability Research

Audio Processing Library Vulnerabilities: The Sound of Exploitation

Audio libraries parse complex binary formats in C code. They share the same vulnerability patterns as image and video codecs, with less security scrutiny.

Apr 28, 20255 min read
Incident Analysis

Oracle Cloud Classic SSO Incident: rose87168 and the Legacy Endpoint Problem

In March 2025 an actor calling themselves rose87168 advertised six million Oracle Cloud SSO and LDAP records, and Oracle quietly acknowledged a breach of legacy infrastructure. We unpack what happened and what tenants should do.

Apr 22, 20257 min read
Open Source Security

Rust Supply Chain: cargo-vet Expansion in 2025

Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.

Apr 15, 20255 min read
Supply Chain

copy-webpack-plugin and terser-webpack-plugin: Build Pipeline Hygiene

The copy-webpack-plugin npm package and terser-webpack-plugin sit in almost every webpack build. Here's how to configure both without leaking files or shipping stale minifiers.

Apr 9, 20256 min read
Supply Chain

webpack-bundle-analyzer: Find Bloat and Risky Dependencies in Your Bundle

webpack bundle analyzer turns your build output into a zoomable treemap. Used well, it finds not just bloat but duplicated packages, surprise transitive dependencies, and code you never meant to ship.

Apr 9, 20257 min read
Best Practices

Bounty Program Scoping for Dependencies

How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.

Apr 8, 20258 min read
Security

The MIT Licence Explained: What It Permits and Its Security Implications

The MIT licence is one of the most permissive open source licences in use, and understanding what it allows tells you a lot about the risk you inherit with a dependency.

Mar 18, 20256 min read
Industry Analysis

Open Source Security Census 2025: Who Maintains the Code We All Depend On?

An analysis of the state of open-source security in 2025. Critical infrastructure runs on projects maintained by small, often unpaid teams. Here is what the data shows and why it matters.

Mar 8, 20255 min read
Software Supply Chain Security

Video Codec Supply Chain Risks: The Hidden Attack Surface in Media Libraries

Video codecs are some of the most complex code in your dependency tree. Their complexity and privileged execution make them prime supply chain targets.

Mar 5, 20255 min read
AI Security

AI Agent Frameworks: A Security Assessment of the New Autonomous Frontier

AI agents that can execute code, browse the web, and manage infrastructure are proliferating. The security implications of these autonomous frameworks demand scrutiny.

Mar 5, 20256 min read
supply-chain (Page 32) — Safeguard Blog