The European Union Agency for Cybersecurity (ENISA) has released its inaugural Technical Advisory on the secure use of package managers, offering guidance to developers on safely integrating third-party code into their projects. This advisory, developed with input from 15 stakeholders, experts, and the open-source community, addresses common risks associated with software supply chains, as reported by Security Affairs.Modern software development heavily relies on package managers like npm and pip for code reuse and efficiency. However, this reliance introduces significant supply chain risks, as demonstrated by attacks in 2025. The advisory details common threats, including inherent code vulnerabilities and malicious package injections, and provides best practices for selecting, integrating, and monitoring third-party packages. It emphasizes verifying package provenance, scanning for known vulnerabilities, minimizing dependencies, and implementing robust checks within CI/CD pipelines. The guidance, while using npm and GitHub as examples, is applicable across various package manager ecosystems.The advisory underscores the critical need for developers to adopt risk-aware decision-making when managing third-party dependencies. As the software supply chain landscape evolves, organizations must treat security as an ongoing activity, regularly reviewing and updating their practices.Source: Security Affairs
Supply chain, DevSecOps
ENISA advisory outlines secure use of third-party software packages

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



