| ▲ | yourapostasy 5 hours ago | |
GitHub back in September already published their roadmap of mitigations to NPM supply chain attacks: https://github.blog/security/supply-chain-security/our-plan-... I'm guessing no one yet wants to spend the money it takes for centralized, trusted testing where the test harnesses employ sandboxing and default-deny installs, Deterministic Simulated Testing (DST), or other techniques. And the sheer scale of NPM package modifications per week makes human in the loop-based defense daunting, to the point that only a small "gold standard" subset of packages that has a more reasonable volume of changes might be the only palatable alternative. What are the thoughts of those deep inside the intersection of NPM and cybersecurity? | ||
| ▲ | dboreham 3 hours ago | parent [-] | |
You would need to hear the thoughts of those deep inside the intersection of money and money. | ||