Best Practices
Finding Forgotten Public npm Packages In Your Org
Public npm packages your org published years ago are now an attacker's best targets. Find them before someone else does.
Mar 30, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Public npm packages your org published years ago are now an attacker's best targets. Find them before someone else does.
Why most CVEs in your dependency tree are not exploitable in your application, and how reachability analysis separates real risk from noise.
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.
A walkthrough of generating SBOMs with Tern in 2026, covering layer-by-layer inspection, CycloneDX output, and practical comparison with Syft.
A practical incident response playbook tailored for supply chain compromises — from initial detection through containment, eradication, and lessons learned.
Two parallel inventories for software and AI assets do not survive contact with reality. A unified graph is what makes governance feasible.
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.
A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.
A practical migration path from CycloneDX 1.5 to 1.7 covering schema changes, machine learning BOM additions, formulation, and the tooling adjustments required.
Weekly insights on software supply chain security, delivered to your inbox.