Safeguard
Tag

transitive-dependencies

Safeguard articles tagged "transitive-dependencies" — guides, analysis, and best practices for software supply chain and application security.

18 articles

Security Guides

Managing Transitive Dependencies: The Vulnerabilities You Didn't Choose

Most dependency risk lives in packages you never installed directly. Here is how transitive dependencies work across ecosystems and how to audit and control them.

Jul 8, 20265 min read
Supply Chain Attacks

The Moq NuGet incident: how a mocking library harvested developer emails

In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.

Jul 8, 20266 min read
Tutorials

How to Remediate Transitive Dependency Vulnerabilities

Fix vulnerabilities in the nested packages you never installed directly — trace the import chain, choose between upgrading the parent or overriding the child, and verify the fix without breaking builds.

Jul 7, 20265 min read
Threat Research

Transitive Dependency Risk Explained: The Code You Never Chose

Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.

Jul 6, 20266 min read
Software Supply Chain Security

event-stream npm package backdoor incident

How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.

Jul 5, 20267 min read
FAQ

Dependency Management: Frequently Asked Questions

A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.

Jul 4, 20266 min read
Threat Research

Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend

CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.

Jul 2, 20266 min read
Concepts

Understanding Dependency Trees

The libraries you install are only the tip of the iceberg. Each one pulls in its own dependencies, which pull in more, forming a tree that can run hundreds of packages deep. Understanding that tree is the first step to securing it.

Jul 2, 20267 min read
Open Source Security

Transitive dependency vulnerabilities explained

A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.

Apr 30, 20267 min read
Open Source Security

What Are Transitive Dependencies

Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.

Apr 3, 20266 min read
Research

Top 10 Riskiest Transitive Dependencies 2026

The Safeguard Research team built a risk index for transitive dependencies and ranked the ten categories that concentrate the most risk in modern stacks.

Feb 19, 20268 min read
Vulnerability Analysis

Log4Shell (CVE-2021-44228) and the supply chain lessons o...

A Log4Shell CVE-2021-44228 analysis covering the JNDI lookup flaw, CVSS 10.0 severity, KEV status, patch timeline, remediation steps, and the transitive dependency lessons it taught.

Jan 22, 20268 min read
transitive-dependencies — Safeguard Blog