| ▲ | mcintyre1994 6 days ago | |||||||||||||
Nice, but I think the config file is a much better implementation for protecting against supply chain attacks, particularly those targeting developers rather than runtime. You don’t want to rely on every developer passing a flag every time they install. This does suffer from the risk of using `npm install` instead of `pnpm install` though. It would also be nice to have this as a flag so you can use it on projects that haven't configured it though, I wonder if that could be added too. | ||||||||||||||
| ▲ | ramses0 6 days ago | parent | next [-] | |||||||||||||
Just Minimum Version Selection in conjunction with "Minimum non-Vulnerable Version" (and this "--minAge") would do a lot, and effectively suss out a lot of poorly/casually maintained packages (eg: "finished" ones). https://research.swtch.com/vgo-mvs#upgrade_timing MVS makes tons of sense that you shouldn't randomly uptake "new" packages that haven't been "certified" by package maintainers in their own dependencies. In the case of a vulnerable sub-dependency, you're effectively having to "do the work" to certify that PackageX is compatible with PackageY, and "--minAge" gives industry (and maintainers) time to scan before insta-pwning anyone who is unlucky that day. | ||||||||||||||
| ▲ | cap11235 6 days ago | parent | prev [-] | |||||||||||||
You can put the uv setting in pyproject.toml or uv.toml. | ||||||||||||||
| ||||||||||||||