Sysadmin

12766 readers

5 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago

MODERATORS

DarraignTheSane@lemmy.world

00Lemming@lemmy.world

L3s@lemmy.world

NPM Supply Chain Attack: Is the Coast Clear? (lemmy.world)

submitted 3 months ago by BombOmOm@lemmy.world to c/sysadmin@lemmy.world

2 comments fedilink hide all child comments

About a month ago NPM was compormised. It was advised to lock versions to before the compromise.

However, one eventually needs to unlock and start getting updates again. Does anybody know if the coast is clear, or possibly a place that is tracking known compromised packages and their current status?

you are viewing a single comment's thread
view the rest of the comments

[–] mlfh@lemmy.sdf.org 2 points 3 months ago

I think one of the issues inherent to the node ecosystem is that the coast is never clear. When the ethos is to never reinvent the wheel, and instead pull in a dependency chain of thousands of tiny things made by thousands of people (not necessarily a bad thing, it saves time and lets developers focus on what they really want to do), you're going to have supply chain attacks that go undetected, because nobody has time to vet every single change to all those thousands of things.