ENISA’S first Technical Advisory on Secure Package Managers highlights how developers can safely consume third‑party packages, outlining risks and secure practices across the software development life cycle. The document, dated March 2026 (v1.1), follows public feedback and incorporates 15 contributions from stakeholders, experts and the open‑source community, and emphasises secure selection, integration and monitoring of packages.
It notes that modern software relies on managers such as npm, pip and Maven, which, while enabling easy updates, carry significant supply chain risks, with 2025 attacks affecting npm and related ecosystems including XRP and Shai‑Hulud 2.0. The advisory explains how a typical install like npm install express can pull in about 68 dependencies, illustrating the breadth of risk across direct and transitive dependencies.
It also references a React CVE‑2025‑55182 with a CVSS of 10.0 that threatened 12 million sites, underlining the potential impact of a single vulnerable package. Guidance in the document covers using SBOMs, vulnerability scanners such as Grype or osv‑scanner, and ongoing monitoring through tools like npm audit, OSV, Snyk, NVD and Dependabot, as well as mitigation approaches using CVSS, EPSS, KEV and CodeQL or Semgrep.
According to ENISA’s guidance, organisations should treat software supply chain security as an ongoing activity, periodically reviewing tooling, threats and ecosystem‑specific guidance.