DepOversight · Blog · Fundamentals

Fundamentals

Fundamentals posts on the DepOversight blog: field notes on dependency security, pre-disclosure signals, and the tooling around them.

• What is pre-CVE dependency risk? , 2026-05-09

  A working definition for the class of dependency risk that exists before, and sometimes instead of, a CVE. The categories, the signals, and what review actually looks like.

• What an OpenSSF Scorecard score actually measures , 2026-05-06

  Scorecard reduces 19+ structural risk checks to a single 0–10 number. Useful when you understand what is in the score, misleading when you do not.

• Reading commit messages for security-relevant signals , 2026-05-03

  A practical taxonomy of the language patterns, diff shapes, and test names that reveal a security-relevant fix in commits, long before any advisory exists.

• How DepOversight would have caught the axios npm compromise , 2026-05-01

  On 31 March 2026, two malicious axios releases were live on npm for just over three hours. There was no CVE. There was no advisory. Here is what we would have surfaced, and when.