DepSec Daily
Dependency & AI-agent security — practical notes, daily.

Latest

AI agents

How to install and configure an MCP server (the safe way)

Install steps for MCP servers plus the security checks most guides skip.

2026-07-07

AI agents

How to install the openai-agents SDK and use it without footguns

Install, a minimal working agent, and the tool-safety mistakes to avoid.

2026-07-06

AI agents

Installing Claude Code: setup, settings.json, and hardening

Install, first-run config, and the settings/hooks that shrink your blast radius.

2026-07-06

API

How to authenticate an agent tool with an API (OAuth, API keys, Azure)

The credential patterns that keep agent tools working without leaking secrets.

2026-07-05

Supply chain

Is this npm or PyPI package safe? A repeatable evaluation

A concrete workflow — with commands — to vet a dependency before you add it.

2026-07-04

Supply chain

How to check the latest version of a package without getting burned

'latest' is a moving target an attacker can hit. Check versions deliberately.

2026-07-03

AI agents

Vetting an MCP server before you connect an agent to it

MCP servers run with your agent's trust. The checklist before you add one.

2026-07-02

AI agents

How indirect prompt injection actually reaches your agent

The web page your agent reads can carry instructions. Mechanism and defenses.

2026-07-01

LLM

Securing a RAG pipeline against poisoned context

Retrieved documents are model input. If an attacker can write to your corpus, they can steer answers.

2026-06-30

Vulnerabilities

Reading a CVE advisory: what actually matters for your risk

A CVE ID alone tells you little. Focus on version, vector, reachability, fix.

2026-06-29

Supply chain

Is your React app's dependency tree safe? How to lock it down

React itself is well-maintained; the risk is the hundreds of transitive deps around it.

2026-06-28

Supply chain

Installing Vite securely: supply-chain notes for your build tooling

Build tools run code on your machine and in CI — treat them like the privileged deps they are.

2026-06-27

Supply chain

TypeScript toolchain security: keeping your build honest

tsc, ts-node, and type packages all run or inject code. Verify the ones you add.

2026-06-26

LLM

Is LangChain safe? Prompt injection and tool risks in chains

The framework is fine; chains that feed untrusted content into tools are where it breaks.

2026-06-25

AI agents

Setting up Cursor safely: AI IDE security considerations

An AI IDE can read your codebase, run commands, and browse — configure those deliberately.

2026-06-24

Supply chain

Is requests / pandas safe? Verifying popular Python packages before install

Popular names are exactly what typosquatters mimic. A quick PyPI provenance check.

2026-06-23

npm

How to install react safely — and check it's the real npm package

Install react, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-01

npm

How to install vue safely — and check it's the real npm package

Install vue, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-02

npm

How to install next safely — and check it's the real npm package

Install next, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-03

npm

How to install express safely — and check it's the real npm package

Install express, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-04

npm

How to install axios safely — and check it's the real npm package

Install axios, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-05

npm

How to install lodash safely — and check it's the real npm package

Install lodash, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-06

npm

How to install vite safely — and check it's the real npm package

Install vite, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-07

npm

How to install vitest safely — and check it's the real npm package

Install vitest, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-08

npm

How to install webpack safely — and check it's the real npm package

Install webpack, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-09

npm

How to install eslint safely — and check it's the real npm package

Install eslint, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-10

npm

How to install prettier safely — and check it's the real npm package

Install prettier, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-11

npm

How to install tailwindcss safely — and check it's the real npm package

Install tailwindcss, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-12

npm

How to install jest safely — and check it's the real npm package

Install jest, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-13

npm

How to install zod safely — and check it's the real npm package

Install zod, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-14

npm

How to install dotenv safely — and check it's the real npm package

Install dotenv, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-15

npm

How to install prisma safely — and check it's the real npm package

Install prisma, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-16

npm

How to install mongoose safely — and check it's the real npm package

Install mongoose, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-17

npm

How to install jsonwebtoken safely — and check it's the real npm package

Install jsonwebtoken, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-18

npm

How to install socket.io safely — and check it's the real npm package

Install socket.io, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-19

npm

How to install react-router-dom safely — and check it's the real npm package

Install react-router-dom, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-20

npm

How to install @sentry/node safely — and check it's the real npm package

Install @sentry/node, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-21

npm

How to install chalk safely — and check it's the real npm package

Install chalk, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-22

npm

How to install commander safely — and check it's the real npm package

Install commander, confirm it's the genuine npm package (not a typosquat), and pin it.

2026-06-23

PyPI

How to install requests safely — and check it's the real PyPI package

Install requests, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-24

PyPI

How to install pandas safely — and check it's the real PyPI package

Install pandas, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-25

PyPI

How to install numpy safely — and check it's the real PyPI package

Install numpy, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-26

PyPI

How to install flask safely — and check it's the real PyPI package

Install flask, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-27

PyPI

How to install django safely — and check it's the real PyPI package

Install django, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-01

PyPI

How to install fastapi safely — and check it's the real PyPI package

Install fastapi, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-02

PyPI

How to install pydantic safely — and check it's the real PyPI package

Install pydantic, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-03

PyPI

How to install openai safely — and check it's the real PyPI package

Install openai, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-04

PyPI

How to install anthropic safely — and check it's the real PyPI package

Install anthropic, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-05

PyPI

How to install transformers safely — and check it's the real PyPI package

Install transformers, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-06

PyPI

How to install boto3 safely — and check it's the real PyPI package

Install boto3, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-07

PyPI

How to install sqlalchemy safely — and check it's the real PyPI package

Install sqlalchemy, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-08

PyPI

How to install pytest safely — and check it's the real PyPI package

Install pytest, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-09

PyPI

How to install httpx safely — and check it's the real PyPI package

Install httpx, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-10

PyPI

How to install pillow safely — and check it's the real PyPI package

Install pillow, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-11

PyPI

How to install beautifulsoup4 safely — and check it's the real PyPI package

Install beautifulsoup4, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-12

PyPI

How to install uvicorn safely — and check it's the real PyPI package

Install uvicorn, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-13

PyPI

How to install llama-index safely — and check it's the real PyPI package

Install llama-index, confirm it's the genuine PyPI package (not a typosquat), and pin it.

2026-06-14