DepOversight · Blog

Blog

Field notes on dependency security, supply-chain incidents, and what we surface before disclosure.

• Dependency intelligence vs vulnerability scanning , 2026-05-09

  Two complementary tools, two different questions. A factual breakdown of what each one is built to answer, and where the boundary sits.

• What is pre-CVE dependency risk? , 2026-05-09

  A working definition for the class of dependency risk that exists before, and sometimes instead of, a CVE. The categories, the signals, and what review actually looks like.

• Why CVE scanners are not early-warning systems , 2026-05-08

  CVE scanners are good at one job, telling you which dependencies match a published advisory. That job ends where the most expensive incidents begin.

• Dependabot, OSV, and CVE scanners: what they miss before disclosure , 2026-05-07

  Three of the most-deployed dependency-security tools, all built around the same data flow. A factual look at what each one is, what they do well, and the shared blind spot, the pre-advisory window.

• What an OpenSSF Scorecard score actually measures , 2026-05-06

  Scorecard reduces 19+ structural risk checks to a single 0–10 number. Useful when you understand what is in the score, misleading when you do not.

• Silent patches: the security fixes nobody tells you about , 2026-05-05

  A non-trivial fraction of security-relevant fixes ship without an advisory, ever. Here is what that means for the dependency graph you have today, and the few signals that catch them.

• Snyk vs dependency intelligence: what each one catches , 2026-05-04

  Snyk and dependency intelligence answer different questions. A factual look at what Snyk is built to do, what dependency intelligence adds, and how teams running both place them in the stack.

• Reading commit messages for security-relevant signals , 2026-05-03

  A practical taxonomy of the language patterns, diff shapes, and test names that reveal a security-relevant fix in commits, long before any advisory exists.

• The hidden window between a security fix and a public CVE , 2026-05-02

  For most vulnerabilities, the fix lands in main long before any advisory or CVE exists. The gap is measured in days for the lucky cases and months for the median. Here is what happens in that window.

• How DepOversight would have caught the axios npm compromise , 2026-05-01

  On 31 March 2026, two malicious axios releases were live on npm for just over three hours. There was no CVE. There was no advisory. Here is what we would have surfaced, and when.