Following the npm hack, I think this is an attack vector that will get more popular in the short term. What tools beside npm audit and dependabot, do you use to monitor for dependency security vulnerabilities?
My strategy has been to limit my exposure to the larger NPM/Node.js ecosystem. I'll use it only in limited cases where a front-end dependency is required.
patrick4urcloud|5 months ago
see https://medium.com/@contact_52772/malicious-npm-packages-aut... .
For futur we can add a call to an open source api to list the ban packages. Thank you, Patrick
palmfacehn|5 months ago