Incidents
Log4Shell Was Never Just a Vulnerability. It Was a Visibility Crisis.
Log4Shell exposed a deeper problem: organizations had no clear visibility into the open source software running inside their systems.
Incidents
The colors.js and faker.js Incident Was a Trust Crisis for Open Source
When a maintainer intentionally broke popular packages, the industry learned that dependency risk is not only about vulnerabilities.
Research
Why CVSS Scores Alone Are Not Enough for Vulnerability Prioritization
A CVSS score measures severity, but real-world risk depends on context, exploitability, and exposure.
Guides
I'm a Student, Not a Security Expert. Why Should I Care?
Your first project inherits hundreds of packages you never chose. That hidden supply chain still needs basic care.
Technical
How ShipWatch Scores Your Dependencies (And Why You Should Trust It)
ShipWatch blends security, maintenance, and ecosystem signals into one score so teams can act quickly and consistently.
Build Log
Building ShipWatch: Captain's Log
A behind-the-scenes look at how ShipWatch uses Coral to unify GitHub, OSV, and npm data into one risk signal.