8 条评论
- supriyo-biswas 8小时前Is any form of code analysis out of the question? Static and dynamic analysis of the code would seem like a promising idea rather than just trying to defer the update and hence the problem.
- weinzierl 9小时前Seen favorably, staged publishing is a band aid. Seen more realistically I believe that in the long run it will even hurt our efforts for more secure infra.
- buildfocus 8小时前How could it possibly hurt?
For trusted publishing, it's not a band-aid, it's a significant improvement that kills an entire class of CI takeover publish attacks. I'm sure attackers will find another way but it's a big gap this is closing up.
- madarco 8小时前meanwhile pnpm 10.x by default won't donwload packages younger than a day
- stabbles 8小时前Is one day enough to find vulnerabilities? Who keeps an eye on new releases? Otherwise the problem continues to exist, just delayed by one day.
- captn3m0 8小时前There’s almost a dozen cybersecurity companies scanning NPM publishes in real-time and analysing them.
- jamietanna 7小时前*11.x
- koinedad 14小时前Nice…maybe will help some of the recent attacks
- warmwaffles 1小时前Perfect, now we'll start seeing people automate auto publishing because they don't want to explicitly push a button to publish it.
- bob1029 8小时前[dead]
- eff-nix 11小时前[dead]
- NicoHartmann 9小时前[dead]