top | item 46045202

(no title)

splix | 3 months ago

We made a script to avoid such situations. It checks the dependencies, just by parsing the package.json (or the lock file), checking the relevant time on npm registry, and returns error if it finds a too fresh package added.

We run it on CI for each commit/PR, and if a developer tries to commit a change that updates a JS dependency to a too recent it prevents the build from running, and so on. Basically we expect that a Supply Chain attacks on NPM would be noticed in a couple of week, and we enforce this time window to our code.

See https://github.com/emeraldpay/paranoid.js

discuss

No comments yet.