| ▲ | scotty79 4 days ago | |||||||
Is there a tool that you can put between your npm client and npm web servers that serves package versions that are month old and possibly also tracks discovered malware and never serves infected versions? | ||||||||
| ▲ | JackFr 4 days ago | parent | next [-] | |||||||
Artifactory. Nexus. I believe AWS/GCP/Azure have offerings. No bank, and almost no large corporations go directly to artifact/package repos. They all host them internally. | ||||||||
| ||||||||
| ▲ | mikebelanger 3 days ago | parent | prev | next [-] | |||||||
Artifactory works fairly well. Although admittedly, when a user grabs a new dependency, they're downloading from the npmjs registry like anyone else. Really, the killer combo would be to have some kind of LLM-based tool that would scan someone's artifactory. Something smart enough to notice that code changed, and there's code for accessing a crypto-wallet, etc. This would be too expensive for npmjs to host for free, but I could see this happen to hosted artifactory dependencies. | ||||||||
| ▲ | lovehashbrowns 4 days ago | parent | prev | next [-] | |||||||
I'm looking at Verdaccio currently, since Artifactory is expensive and I think the CE version still only supports C++. Does anyone have any experience with Verdaccio? | ||||||||
| ▲ | singulasar 4 days ago | parent | prev | next [-] | |||||||
the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain | ||||||||
| ▲ | balder1991 4 days ago | parent | prev [-] | |||||||
Something like this? https://jfrog.com/artifactory/ | ||||||||