Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.
Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.
Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install hooks create risk.
Weekly insights on software supply chain security, delivered to your inbox.