| ▲ | prdonahue 3 hours ago | |||||||
> Anyone know of a better way to protect yourself than setting a min release age on npm/pnpm/yarn/bun/uv (and anything else that supports it)? Most of these attacks don't make it into the upstream source, so solutions[1] that build from source get you ~98% of the way there. If you can't get a from-source build vs. pulling directly from the registries, can reduce risk somewhat with a cooldown period. For the long tail of stuff that makes it into GitHub, you need to do some combination of heuristics on the commits/maintainers and AI-driven analysis of the code change itself. Typically run that and then flag for human review. [1] Here's the only one I know that builds everything from source: https://www.chainguard.dev/libraries (Disclaimer: I work there.) | ||||||||
| ▲ | eranation 2 hours ago | parent [-] | |||||||
Build from source is a great idea, I assume you provide SLSA/sigstore like provenance as well? | ||||||||
| ||||||||