Open Source Security
npm Workspaces Security Considerations
Workspaces are fantastic for developer experience and hostile to naive security tooling. Here is what actually changes when you flip them on.
Jun 12, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Workspaces are fantastic for developer experience and hostile to naive security tooling. Here is what actually changes when you flip them on.
Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what changed, who was affected, and what Java teams should do.
Go workspaces make multi-module development feel natural, but the go.work file introduces a new trust boundary that can quietly override pinned versions and bypass checksum verification.
Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, what it doesn't do, and when to use it instead of a delete.
Auditing a .NET supply chain is a different exercise than auditing a JavaScript one, and the patterns that actually find problems are specific to how the ecosystem works.
Python's flat namespace creates real security problems. Here is how namespace packages, shadowing, and install order interact, and how to avoid the surprises.
Writing Rust for embedded or kernel targets drops you into no_std territory, and the supply chain rules are different there. A practical look at what changes and why.
Six months after the OSS Pledge launch, adoption is climbing but uneven. Who signed, who followed through with funding, and what the pledge has actually shifted in open-source economics.
Kotlin Multiplatform ships one codebase to JVM, iOS, Android, JS, and native targets. The supply chain surface expands in specific ways worth tracking.
Weekly insights on software supply chain security, delivered to your inbox.