https://depoversight.com/blog/ Field notes on dependency security, supply-chain incidents, and what we surface before disclosure. en https://depoversight.com/blog/dependency-intelligence-vs-vulnerability-scanning/ https://depoversight.com/blog/dependency-intelligence-vs-vulnerability-scanning/ Sat, 09 May 2026 00:00:00 GMT Two complementary tools, two different questions. A factual breakdown of what each one is built to answer, and where the boundary sits. comparison vulnerability-scanning dependency-intelligence https://depoversight.com/blog/what-is-pre-cve-dependency-risk/ https://depoversight.com/blog/what-is-pre-cve-dependency-risk/ Sat, 09 May 2026 00:00:00 GMT A working definition for the class of dependency risk that exists before, and sometimes instead of, a CVE. The categories, the signals, and what review actually looks like. pre-cve definitions supply-chain fundamentals https://depoversight.com/blog/cve-scanners-not-early-warning/ https://depoversight.com/blog/cve-scanners-not-early-warning/ Fri, 08 May 2026 00:00:00 GMT CVE scanners are good at one job, telling you which dependencies match a published advisory. That job ends where the most expensive incidents begin. cve vulnerability-management supply-chain https://depoversight.com/blog/dependabot-osv-cve-scanners-pre-disclosure/ https://depoversight.com/blog/dependabot-osv-cve-scanners-pre-disclosure/ Thu, 07 May 2026 00:00:00 GMT Three of the most-deployed dependency-security tools, all built around the same data flow. A factual look at what each one is, what they do well, and the shared blind spot, the pre-advisory window. comparison dependabot osv cve-scanners https://depoversight.com/blog/openssf-scorecard-explained/ https://depoversight.com/blog/openssf-scorecard-explained/ Wed, 06 May 2026 00:00:00 GMT Scorecard reduces 19+ structural risk checks to a single 0–10 number. Useful when you understand what is in the score, misleading when you do not. openssf scorecard fundamentals https://depoversight.com/blog/silent-patches/ https://depoversight.com/blog/silent-patches/ Tue, 05 May 2026 00:00:00 GMT A non-trivial fraction of security-relevant fixes ship without an advisory, ever. Here is what that means for the dependency graph you have today, and the few signals that catch them. silent-patches disclosure advisory-databases https://depoversight.com/blog/snyk-vs-dependency-intelligence/ https://depoversight.com/blog/snyk-vs-dependency-intelligence/ Mon, 04 May 2026 00:00:00 GMT Snyk and dependency intelligence answer different questions. A factual look at what Snyk is built to do, what dependency intelligence adds, and how teams running both place them in the stack. comparison snyk vulnerability-scanning https://depoversight.com/blog/reading-commits-for-security-signals/ https://depoversight.com/blog/reading-commits-for-security-signals/ Sun, 03 May 2026 00:00:00 GMT A practical taxonomy of the language patterns, diff shapes, and test names that reveal a security-relevant fix in commits, long before any advisory exists. commit-analysis detection fundamentals https://depoversight.com/blog/hidden-window-between-fix-and-cve/ https://depoversight.com/blog/hidden-window-between-fix-and-cve/ Sat, 02 May 2026 00:00:00 GMT For most vulnerabilities, the fix lands in main long before any advisory or CVE exists. The gap is measured in days for the lucky cases and months for the median. Here is what happens in that window. pre-cve disclosure advisory-databases https://depoversight.com/blog/axios-supply-chain/ https://depoversight.com/blog/axios-supply-chain/ Fri, 01 May 2026 00:00:00 GMT On 31 March 2026, two malicious axios releases were live on npm for just over three hours. There was no CVE. There was no advisory. Here is what we would have surfaced, and when. supply-chain npm axios worked-example