Wild claim that setting the minimum age to 7 days will result in me "never" getting a supply chain npm vuln.

In this case it would have, because the compromised packages were pulled within 3 hours.

This sort of mitigation seems like it makes sense in the short term, but it seems like it would only work as long as most people don't do it. If everyone has this set to seven days, it will take seven days plus three hours to get things yanked, and then there will be people who will set to 14 days...

▲

worble 3 hours ago | parent | next [-]

No, its still a very useful mitigation tool.

1) Package owners will often realise they've been hacked quickly, since there are releases they never authorised. This gives them plenty of time to raise the alarm and yank the packages

2. Independent security researchers and other automated vulnerability scans will still be checking the latest releases even if users aren't using them

Yes it's not a perfect defense but it would help a lot.

▲

omcnoe 2 hours ago | parent | prev [-]

These malicious packages are being caught by the authors, and by automated package security scanners, not just by end users. npm should start setting this 7 day cooldown as default.

	▲	andix 2 hours ago \| parent [-]
		Even 12 hours would probably be enough. Those automatic malware scanning companies are getting really fast.

▲

mayama 21 minutes ago | parent | prev [-]

you are betting that the package is popular, has enough eyes to mitigate attack in 7 days. attackers could also target unpopular packages for long game

▲

pastel8739 4 hours ago | parent | prev | next [-]

There is a “fresh” in there

▲

4 hours ago | parent | prev [-]

[deleted]