I wonder if we get a response from NPM on all the package compromises at some point + what their idea is to mitigate those.
-
I wonder if we get a response from NPM on all the package compromises at some point + what their idea is to mitigate those.
-
I wonder if we get a response from NPM on all the package compromises at some point + what their idea is to mitigate those.
@pixel Is it really a npm issue? If package maintainers do not pay enough attention to their dependencies, this could happen with composer and other dependency managers also. IMHO
-
@pixel Is it really a npm issue? If package maintainers do not pay enough attention to their dependencies, this could happen with composer and other dependency managers also. IMHO
@MarcusSchwemer the thing is: if it happens this often, the service provider should step in with mitigations as well.
Just "it's the maintainers fault" doesn't work if millions of users (and systems) are at stake.
Adding a third factor, like signatures etc. is probably what's next.
-
I wonder if we get a response from NPM on all the package compromises at some point + what their idea is to mitigate those.
-
@danielsiepmann @MarcusSchwemer
fun fact, release/artifact attestation already is a thing, just not enforced.
