| ▲ | weinzierl 3 hours ago | |
Which mitigations specifically are in npm but not in crates.io? As far as I know crates.io has everything that npm has, plus - strictly immutable versions[1] - fully automated and no human in the loop perpetual yanking - no deletions ever - a public and append only index Go modules go even further and add automatic checksum verification per default and a cryptographic transparency log. Contrast this with docker hub for example, where not even npm's basic properties hold. So, it is more like docker hub ⊂ npm ⊂ crates.io ⊂ Go modules [1] Nowadays npm has this arguably too | ||
| ▲ | lucideer 38 minutes ago | parent [-] | |
To clarify (a lot of sibling commenters misinterpreted this too so probably my fault - can't edit my comment now): I'm not referring to mitigations in public repositories (which you're right, are varied, but that's a separate topic). I'm purely referring to internal mitigations in companies leveraging open-source dependencies in their software products. These come in many forms, everything from developer education initiatives to hiring commercial SCA vendors, & many other things in between like custom CI automations. Ultimately, while many of these measures are done broadly for all ecosystems when targeting general dependency vulnerabilities (CVEs from accidental bugs), all of the supply-chain-attack motivated initiatives I've seen companies engage in are single-ecosystem. Which seems wasteful. | ||