top | item 45274253

(no title)

aj_g | 5 months ago

Anyone have a good solution to scan all code in our Github org for uses of the affected packages? Many of the methods we've tried have dead ended. Inability to reliably search branches is quite annoying here.

discuss

cube00|5 months ago

If you have tens of thousands of repos with branches to match you'll be scanning all year.

Proxy NPM with something like Artifactory which stops the bad package getting back in or ending up in any new builds.

Follow it up with endpoint protection to weed the package out of the local checked out copies and .npm on the individual dev boxes.

unknown|5 months ago

[deleted]

ozim|5 months ago

Have you tried Dependency Track from OWASP? Generate SBOM from each repo/projects and post it with API to DT and you have full overview. You have to hook it up so it is done automatically because of course stuff will always move.

ankit_mishra|5 months ago

npm audit - will tell you if there's any packages with known vulnerabilities. https://docs.npmjs.com/cli/v11/commands/npm-audit I'd imagine it's considerably slower than search, but hopefully more reliable.

TZubiri|5 months ago

Any junior engineer should be able to solve this with grep in an afternoon.

aj_g|5 months ago

For several thousand repos? Ensuring none of the 451 package versions have been installed on any branch in any repo? I don't think it's so simple.