Open Source Security
npm Lockfile v3 Security Improvements
Lockfile v3 is more than a format bump. It quietly fixed a class of integrity bugs that plagued v1 and v2, and the difference matters more than most teams realize.
Aug 10, 20236 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Lockfile v3 is more than a format bump. It quietly fixed a class of integrity bugs that plagued v1 and v2, and the difference matters more than most teams realize.
Abandoned open source projects do not disappear. They continue to be installed, depended upon, and deployed in production. They just stop getting security patches.
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.
The Apache Software Foundation oversees 350+ projects including some of the most widely deployed software on earth. Their security practices set the standard for foundation-governed open source.
Supply chain attacks on open source come in distinct flavors. Understanding the taxonomy helps defenders prioritize controls and recognize threats before they reach production.
PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.
sum.golang.org went public in August 2019. After four years of production, here is what the Go checksum database got right and what it did not.
Weekly insights on software supply chain security, delivered to your inbox.