new | show | ask | jobs Github

sspiff 7 hours ago

It's wild that none of these are set by default.

I know 90% of people I've worked with will never know these options exist.

▲

po1nt 7 hours ago | parent | next [-]

That would likely mean same amount of people get the vulnerability, just 7 days later.

▲

user34283 2 hours ago | parent [-]

The compromised packages were removed from the registry within hours.

	▲	brabel 5 minutes ago \| parent [-]
		Because everyone got updates immediately. If the default was 7 days, almost no one would get updates immediately but after 7 days, and now someone only finds about after 7 days. Unless there is a poor soul checking packages as they are published that can alert the registry before 7 days pass, though I imagine very few do that and hence a dedicated attacker could influence them to not look too hard.

▲

zelphirkalt 7 hours ago | parent | prev [-]

If everyone or a majority of people sets these options, then I think issues will simply be discovered later. So if other people run into them first, better for us, because then the issues have a chance of being fixed once our acceptable package/version age is reached.