Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.
Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.
Public when it should have been private. Private when it should have been archived. The state of npm package visibility across an organization is almost always worse than the team thinks.
Three audit tools, three philosophies, three blind spots. A ground-level comparison of how npm, pnpm, and yarn surface vulnerabilities, and where each one leaves you exposed.
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Npm's team-based permissions are more expressive than most organizations use. A walkthrough of the access model and the configurations that actually reduce blast radius.
Two years after Log4Shell shook the internet, many organizations still have vulnerable Log4j instances. The vulnerability changed how we think about supply chain security—but did it change how we act?
A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.
Weekly insights on software supply chain security, delivered to your inbox.