| ▲ | cute_boi 4 hours ago |
| They should have added a 1-day age limit by default, so security scanners have some time. |
|
| ▲ | geophph 3 hours ago | parent | next [-] |
| The maintainer of pnpm mentioned this on the pod rocket podcast recently. Based on recent npm exploits they decided to (and based on a poll they did most users agreed) set to 1 day by default in v11. Can always choose to change it if you desire. |
|
| ▲ | KolmogorovComp 4 hours ago | parent | prev [-] |
| I don't think it'd necessarily be a good decision, sometimes CVE are actively exploited and need quick patching. A better safety net would be to require active 2FA proof for every package update. |
| |
| ▲ | therealmarv 2 hours ago | parent | next [-] | | As if supply chain attacks could have been prevented by 2fa or passkeys always. You want delays by x days because supply chain attacks get caught very often within 1-2 days. And if you really really want to make an exception for a zero day then that's no problem and you can still quick patch by exclusion of that rule. They don't contradict in a unsolvable problem. You want both, you get both. | | |
| ▲ | doctorpangloss 2 hours ago | parent [-] | | How do you know what's a zero day fix? (You write something) So then you have to check every package's updates and decide if you update, yes? |
| |
| ▲ | jnwatson 4 hours ago | parent | prev [-] | | If you need a quick patch, you pass another parameter to turn off the 1 day. 1 day delay will prevent more problems than it makes. | | |
| ▲ | alexdns 3 hours ago | parent [-] | | so this parameter can be passed by the attackers also thus making your point pointless | | |
| ▲ | gbear605 3 hours ago | parent | next [-] | | The idea of the parameter is stopping the attackers from getting on your system in the first place | |
| ▲ | therealmarv 2 hours ago | parent | prev [-] | | that parameter cannot be set by a package, you only can set it |
|
|
|
