{"id":1078,"date":"2025-05-12T00:14:20","date_gmt":"2025-05-12T05:14:20","guid":{"rendered":"https:\/\/stagefoursecurity.com\/blog\/?p=1078"},"modified":"2025-05-12T00:14:20","modified_gmt":"2025-05-12T05:14:20","slug":"open-source-dependency-risk","status":"publish","type":"post","link":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/","title":{"rendered":"Open Source Dependency Risk"},"content":{"rendered":"<article>\n<header>\n<h1>\ud83d\udce6 Beyond the Repo: Understanding Open Source Dependency Risk<\/h1>\n<p><em>By James K. Bishop, vCISO | Founder, <a href=\"https:\/\/stagefoursecurity.com\" target=\"_blank\" rel=\"noopener\">Stage Four Security<\/a><\/em><\/p>\n<\/header>\n<section>\n<h2>\ud83d\udd0d What\u2019s Really in Your Dependencies?<\/h2>\n<p><a href=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignright wp-image-1100\" src=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-300x200.png\" alt=\"\" width=\"400\" height=\"267\" srcset=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-300x200.png 300w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-1024x683.png 1024w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-768x512.png 768w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png 1536w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a>Open source is everywhere\u2014and that&#8217;s the problem. The average modern application has hundreds of third-party dependencies, many of which bring their own risks. While open source enables faster development, community innovation, and transparency, it also introduces blind spots, especially in transitive dependencies you didn\u2019t explicitly choose.<\/p>\n<p>This post explores how open source dependency risk arises, how real-world breaches exploit it, and how to manage it through tooling, policy, and secure build practices.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udd17 Direct vs. Transitive Dependencies<\/h2>\n<p><strong>Direct dependencies<\/strong> are the libraries you explicitly declare in your codebase (e.g., in <code>package.json<\/code> or <code>requirements.txt<\/code>). <strong>Transitive dependencies<\/strong>\u2014often far more numerous\u2014are the dependencies of your dependencies. These are pulled in automatically and can number in the hundreds or thousands.<\/p>\n<p>Transitive dependencies are especially dangerous because:<\/p>\n<ul>\n<li>They often escape regular code review.<\/li>\n<li>They can be quietly deprecated or hijacked (e.g., <em>event-stream<\/em> in NPM).<\/li>\n<li>They are more likely to include unmaintained or unvetted code.<\/li>\n<\/ul>\n<p>In major ecosystems like NPM and PyPI, a single top-level library may bring in 50+ transitive packages with no centralized security vetting.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udcc9 Real-World Incidents<\/h2>\n<p>Open source dependency attacks are not hypothetical. Here are notable cases:<\/p>\n<ul>\n<li><strong>event-stream (NPM):<\/strong> An abandoned maintainer handed control to an attacker who inserted malicious code targeting cryptocurrency wallets.<\/li>\n<li><strong>UAParser.js:<\/strong> A popular library was hijacked and used to deploy cryptocurrency miners and credential stealers.<\/li>\n<li><strong>Color.js \/ Faker.js:<\/strong> A disgruntled maintainer deliberately corrupted the library, affecting thousands of downstream applications.<\/li>\n<li><strong>PyTorch-nightly:<\/strong> Attackers uploaded a malicious <code>torchtriton<\/code> package to PyPI that exfiltrated sensitive system info on install.<\/li>\n<\/ul>\n<p>These cases highlight two key risks: <strong>package takeover<\/strong> and <strong>ecosystem-level trust failures<\/strong>.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udee0\ufe0f How to Manage Dependency Risk<\/h2>\n<p>Managing dependency risk requires both <strong>process discipline<\/strong> and <strong>tooling integration<\/strong>. Here\u2019s how to start:<\/p>\n<h3>1. Use Software Composition Analysis (SCA)<\/h3>\n<p>Tools like <strong>OWASP Dependency-Check<\/strong>, <strong>Snyk<\/strong>, <strong>Dependabot<\/strong>, <strong>Renovate<\/strong>, and <strong>Anchore<\/strong> scan your projects for known vulnerabilities and out-of-date packages. They surface CVEs and license issues.<\/p>\n<h3>2. Monitor for Known Exploits<\/h3>\n<p>Integrate feeds from:<\/p>\n<ul>\n<li><a href=\"https:\/\/nvd.nist.gov\/\" target=\"_blank\" rel=\"noopener\">NIST NVD<\/a> (National Vulnerability Database)<\/li>\n<li><a href=\"https:\/\/osv.dev\/\" target=\"_blank\" rel=\"noopener\">Google\u2019s OSV Database<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/advisories\" target=\"_blank\" rel=\"noopener\">GitHub Security Advisories<\/a><\/li>\n<\/ul>\n<h3>3. Enforce Dependency Policies<\/h3>\n<p>Use automated workflows to:<\/p>\n<ul>\n<li>Block known-bad packages (denylists)<\/li>\n<li>Set version pinning to prevent silent upgrades<\/li>\n<li>Flag or block packages without recent updates or security reviews<\/li>\n<\/ul>\n<h3>4. Scan Transitives Separately<\/h3>\n<p>Make sure your tools go beyond top-level packages. If your SCA isn\u2019t scanning <em>everything in the dependency tree<\/em>, you\u2019re missing the majority of your attack surface.<\/p>\n<h3>5. Run Builds in a Secure Sandbox<\/h3>\n<p>Prevent installation-time attacks (e.g., malicious install scripts) by running builds in hardened containers or ephemeral environments\u2014never on developer laptops.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udccb Governance Tips for Open Source Use<\/h2>\n<p>Technical controls aren\u2019t enough. You also need policy and governance:<\/p>\n<ul>\n<li>Define an approved package list or vetting process for new dependencies<\/li>\n<li>Assign responsibility for dependency reviews (e.g., during code review or release gates)<\/li>\n<li>Establish response plans for dependency-driven vulnerabilities (e.g., Log4Shell-like CVEs)<\/li>\n<li>Keep a record of historical SBOMs for released versions (see upcoming Post 2)<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>\ud83d\udce3 Final Thought<\/h2>\n<p>Dependencies are software you didn\u2019t write, can\u2019t fully trust, and often don\u2019t control. But you\u2019re still responsible for the risk. By treating open source packages as part of your attack surface\u2014rather than assuming \u201cfree\u201d means \u201csafe\u201d\u2014you can reduce exposure and respond quickly when threats emerge.<\/p>\n<p><strong>Need help auditing your open source risk or integrating SCA and SBOM tools into your pipeline?<\/strong> <a href=\"https:\/\/stagefoursecurity.com\/blog\/partner-with-stage-four-security\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s talk<\/a>.<\/p>\n<\/section>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udce6 Beyond the Repo: Understanding Open Source Dependency Risk By James K. Bishop, vCISO | Founder, Stage Four Security \ud83d\udd0d [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[],"class_list":["post-1078","post","type-post","status-publish","format-standard","hentry","category-open-source-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Open Source Dependency Risk - Stage Four Security Blog<\/title>\n<meta name=\"description\" content=\"Unpack the hidden risks in open source dependencies, including abandoned libraries, nested vulnerabilities, and ecosystem-level trust issues.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Open Source Dependency Risk - Stage Four Security Blog\" \/>\n<meta property=\"og:description\" content=\"Unpack the hidden risks in open source dependencies, including abandoned libraries, nested vulnerabilities, and ecosystem-level trust issues.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"Stage Four Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-12T05:14:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"stagefoursec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"stagefoursec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\"},\"author\":{\"name\":\"stagefoursec\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\"},\"headline\":\"Open Source Dependency Risk\",\"datePublished\":\"2025-05-12T05:14:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\"},\"wordCount\":579,\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-300x200.png\",\"articleSection\":[\"Open Source Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\",\"name\":\"Open Source Dependency Risk - Stage Four Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-300x200.png\",\"datePublished\":\"2025-05-12T05:14:20+00:00\",\"description\":\"Unpack the hidden risks in open source dependencies, including abandoned libraries, nested vulnerabilities, and ecosystem-level trust issues.\",\"breadcrumb\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/stagefoursecurity.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Open Source Dependency Risk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"name\":\"Stage Four Security Blog\",\"description\":\"Protecting today, fortifying tomorrow\",\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\",\"name\":\"Stage Four Security Blog\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"width\":1000,\"height\":150,\"caption\":\"Stage Four Security Blog\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\",\"name\":\"stagefoursec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"caption\":\"stagefoursec\"},\"sameAs\":[\"https:\/\/stagefoursecurity.com\/blog\"],\"url\":\"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Open Source Dependency Risk - Stage Four Security Blog","description":"Unpack the hidden risks in open source dependencies, including abandoned libraries, nested vulnerabilities, and ecosystem-level trust issues.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/","og_locale":"en_US","og_type":"article","og_title":"Open Source Dependency Risk - Stage Four Security Blog","og_description":"Unpack the hidden risks in open source dependencies, including abandoned libraries, nested vulnerabilities, and ecosystem-level trust issues.","og_url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/","og_site_name":"Stage Four Security Blog","article_published_time":"2025-05-12T05:14:20+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png","type":"image\/png"}],"author":"stagefoursec","twitter_card":"summary_large_image","twitter_image":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png","twitter_misc":{"Written by":"stagefoursec","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#article","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/"},"author":{"name":"stagefoursec","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde"},"headline":"Open Source Dependency Risk","datePublished":"2025-05-12T05:14:20+00:00","mainEntityOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/"},"wordCount":579,"publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-300x200.png","articleSection":["Open Source Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/","url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/","name":"Open Source Dependency Risk - Stage Four Security Blog","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1-300x200.png","datePublished":"2025-05-12T05:14:20+00:00","description":"Unpack the hidden risks in open source dependencies, including abandoned libraries, nested vulnerabilities, and ecosystem-level trust issues.","breadcrumb":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#primaryimage","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-1.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/open-source-dependency-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/stagefoursecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Open Source Dependency Risk"}]},{"@type":"WebSite","@id":"https:\/\/stagefoursecurity.com\/blog\/#website","url":"https:\/\/stagefoursecurity.com\/blog\/","name":"Stage Four Security Blog","description":"Protecting today, fortifying tomorrow","publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/stagefoursecurity.com\/blog\/#organization","name":"Stage Four Security Blog","url":"https:\/\/stagefoursecurity.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","width":1000,"height":150,"caption":"Stage Four Security Blog"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde","name":"stagefoursec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","caption":"stagefoursec"},"sameAs":["https:\/\/stagefoursecurity.com\/blog"],"url":"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/"}]}},"_links":{"self":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=1078"}],"version-history":[{"count":2,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1078\/revisions"}],"predecessor-version":[{"id":1105,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1078\/revisions\/1105"}],"wp:attachment":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=1078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=1078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=1078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}