Category
38 posts in this category.
Technical explainer
A practical walk-through of npm’s dependency resolver: how SemVer ranges become resolved versions, when nested copies appear in node_modules, and why reading a package-lock.json diff is the only reliable supply-chain review.
Technical explainer
pip’s backtracking resolver is what decides which version of every Python package gets installed. Here is how it works, what changed in pip 20.3, and how to make builds reproducible with hashed lockfiles.
Technical explainer
The lockfile is the source of truth for what your build will install. A field-by-field walk-through of package-lock.json so the next thousand-line lockfile diff in code review is readable in minutes.
Technical explainer
Dependency confusion lets attackers serve malicious packages to your developers by exploiting how npm and pip resolve package names. Here's the exact mechanism, real examples, and defenses.
Technical explainer
npm ci installs strictly from package-lock.json with integrity verification on every package. A small command change with outsized benefits for build reproducibility, performance, and supply-chain hygiene.
Technical explainer
Most supply chain attacks on npm and PyPI have an exposure window of hours to days before threat feeds catch up. Here's what that window looks like, who is most at risk, and what actually closes it.
Technical explainer
npm install executes arbitrary code from the internet with no verification. Here's why that's true by design, what the consequences are, and how Veln adds the verification layer npm doesn't have.
Technical explainer
pip-compile --generate-hashes plus pip install --require-hashes gives you the Python equivalent of npm ci: byte-identical wheels across machines and refusal to install if any artifact’s hash does not match.
Technical explainer
Three Software Bill of Materials formats compete for the same shelf. Here is what each format is good at, where it is used, and how to pick one without overthinking it.
Technical explainer
npm postinstall is the most common code-execution surface for malicious packages. A taxonomy of the patterns observed in the wild — credential exfiltration, downloaded payloads, obfuscated runtime, conditional triggers — and what reliably catches each one.
Technical explainer
npm audit checks against known CVE databases and misses every zero-day supply chain attack. Here's exactly what npm audit does, its false positive problem, and how to use it correctly.
Technical explainer
Veln Consensus compares the hash of every package you download against other Veln users worldwide. Here's how it detects targeted attacks that few other tools can catch.
Technical explainer
GitHub Actions workflows are a prime target for supply chain attacks. Here's how to secure your npm and Python installs, pin action versions, and use Veln in CI.
Technical explainer
Your CI pipeline installed a malicious npm or Python package. Here's the exact incident response process: what to investigate, what to rotate, and how to prevent recurrence.
Technical explainer
Sigstore replaces long-lived signing keys with short-lived OIDC-issued certificates and a public transparency log. This is the foundation under npm provenance and PyPI Trusted Publishing — here is how the trust chain actually works.
Technical explainer
uv, pip, and poetry have different security properties. Here's a comparison of lockfile security, hash verification, and supply chain protections for each Python package manager.
Technical explainer
npm now supports build provenance via Sigstore. Here's what it is, how it works, what attacks it prevents, and where it leaves gaps that Veln fills.
Technical explainer
Trusted Publishing replaces long-lived publish tokens with short-lived OIDC identity assertions from your CI workflow. Setup takes 30 minutes and removes the most-stolen credential class from your infrastructure.
Technical explainer
If you publish npm packages, here's how to protect your account, secure your CI publishing pipeline, avoid patterns that trigger security scanners, and use npm provenance.
Technical explainer
A deep dive into securing Python package installs in Docker: multi-stage builds, non-root users, read-only filesystems, Buildkit secrets, and Veln in CI.
Technical explainer
ML and AI projects are uniquely exposed to supply chain attacks: large dependency trees, frequent new packages, cloud credentials, and model weights. Here's how to protect them.
Technical explainer
Python virtual environments isolate packages between projects but don't protect against malicious packages. Here's what venv actually does for security and what additional steps are needed.
Technical explainer
npm scopes (@company/package) are your first line of defense against dependency confusion attacks. Here's how to configure them correctly and what can still go wrong.
Technical explainer
A review of the current state of npm and PyPI security in 2026: what's improved, what remains broken, the most common attack patterns, and where the gaps still are.
Technical explainer
Veln assigns a trust score from 0–100 to every package install. Here's exactly what signals contribute to the score, what drives each verdict, and how to interpret the results.
Technical explainer
When Veln blocks or warns on a package, it produces a detailed report. Here's how to read every section of the report and decide what to do next.
Technical explainer
AWS credentials are the most commonly targeted secret in npm and PyPI supply chain attacks. Here's the specific patterns attackers use, why AWS is targeted, and how to protect your credentials.
Technical explainer
Abandoned and under-maintained npm and PyPI packages are a primary supply chain attack vector. Here's why maintainer burnout creates security risk and what developers can do about it.
Technical explainer
Private npm and PyPI registries (Artifactory, Nexus, Verdaccio) introduce unique security risks. Here's how to configure them securely and what Veln adds.
Technical explainer
npm automation tokens with full account access are the norm. Here's how to use granular npm access tokens, scope them to specific packages, and limit the blast radius if a token is stolen.
Technical explainer
CI caches for npm and Python can persist malicious packages across builds and across time. Here's which caching strategies are safe, which are risky, and how to configure them correctly.
Technical explainer
Monitoring outbound network traffic from your CI pipelines and developer machines is one of the most effective after-the-fact detections for supply chain attacks. Here's how to set it up.
Technical explainer
Using ^ and ~ in package.json lets npm automatically install new minor and patch versions. Here's why this creates a supply chain attack surface and how to use semver safely.
Technical explainer
Transitive npm dependencies are the primary supply chain attack surface, not direct dependencies. Here's why, how deep dependency trees amplify risk, and what to do about it.
Technical explainer
Before installing a Python package, you can verify its publisher, release history, download counts, and source code. Here's a step-by-step manual verification process and what Veln automates.
Technical explainer
npm lifecycle scripts and Python build hooks execute shell commands. Here's how the shell execution works, what escape vectors exist, and how Veln catches shell-based supply chain attacks.
Technical explainer
Unexpected license changes in transitive npm and Python dependencies can signal a supply chain compromise. Here's how license verification fits into your security posture.
Technical explainer
LLMs like GPT-4 and Claude sometimes recommend npm and Python packages that don't exist. Attackers register those package names. Here's the risk and how to protect yourself.