Practical guidance on CRA compliance, SBOM generation, and software supply chain security.
The EU Cyber Resilience Act's first real deadline hits September 11, 2026. From that date, you must report actively exploited vulnerabilities within 24 hours. If you don't have SBOMs and CVE monitoring in place, you can't comply. Here's what you need to know — and what your options are.
Read more →Getting "Component requires at least one valid identifier (PURL or CPE)" for @types/node or @angular/core? The @ sign in scoped npm packages must be percent-encoded as %40 in PURLs. Here's why, and how to fix it.
Read more →Your CycloneDX SBOM fails NTIA validation because of missing supplier fields. Here's exactly what those errors mean, where they come from, and how to fix them — with the CycloneDX 1.7 spec.
Read more →