Dependency Security Glossary

An attack where malicious input modifies the base template that JavaScript uses to create all objects.

When an attacker compromises software you use rather than software you write.

When a package manager fetches the wrong version of a package because an attacker registered the same name on a public registry.

Registering a package name one character off from a popular one, waiting for developers to mistype it.

A package your code doesn't use directly but gets pulled in because something you do use depends on it.

A standardized ID number assigned to a publicly known security vulnerability.

A 0-10 score that describes how severe a security vulnerability is.

A list of vulnerabilities that the US government has confirmed are being actively used in real attacks right now.

A file that records the exact version of every dependency your project installed, so every machine gets identical results.

A complete list of every component in a piece of software — like a nutrition label but for code.

A package that was dormant for months or years and then suddenly published a new version — a warning sign of a compromised maintainer account.

A supply chain attack technique that hides malicious code inside invisible Unicode characters in package scripts.

Automatically checking your project's dependencies for known vulnerabilities and security risks.

The category of tools that identify and assess the open source components in your software.

A security flaw in a publicly available software library that anyone using that library inherits.