Articles below cover SBOM generation, dependency triage under deadline pressure, the EU Cyber Resilience Act, abandoned-package detection, and the maths of CVE prioritization. Every post points back to a specific workflow the DepTriage scanner can run for you in 30 seconds.
How to Generate a CycloneDX SBOM from package-lock.json in 5 Minutes
A step-by-step 2026 guide to producing a CycloneDX 1.5 SBOM from a package-lock.json — formats, fields, validation, and what auditors actually check.
What to Do When Your Inherited Codebase Has 1,000+ Transitive Dependencies and a Compliance Deadline
A pragmatic playbook for triaging a giant transitive dependency tree under deadline pressure: what to fix, what to defer, what to document.
Abandoned npm Packages: How to Identify Them Before Your Next Audit
How to detect abandoned npm dependencies (and why this matters more than CVE counts), with practical signals and free tools — including DepTriage.
SBOM Requirements Under the EU Cyber Resilience Act: What Developers Need to Know
The CRA is in force. Here's what an SBOM has to contain, who has to produce one, and what the practical obligations look like for small teams.
Direct vs Transitive Dependencies: Why Severity Level Alone Is Useless for Triage
Why CRITICAL on a transitive dependency at depth 5 is not the same as CRITICAL on a direct dependency — and how to model real risk instead.
How to Prioritize CVE Fixes in a 1,400-Package Dependency Tree Without Going Insane
A scoring formula for CVE triage that combines severity, depth, maintainer health, and exploit availability — the same formula DepTriage uses.
Free Tools to Check Open Source Maintainer Health Before Your Next Compliance Review
Five free signals for maintainer health you can pull yourself, plus a comparison of free dashboards (libraries.io, OpenSSF Scorecard, deps.dev, Tidelift).