Tag
vendoring
Safeguard articles tagged "vendoring" — guides, analysis, and best practices for software supply chain and application security.
2 articles
Supply Chain Security
The C++ supply chain has no npm — and that's the risk
C++ has no single package registry like npm or PyPI, so vendored code hides provenance — the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shows the cost.
Jul 11, 20266 min read
Engineering
Vendoring Dependencies: When It Helps and When It Hurts Security
Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.
May 25, 20257 min read