pull down to refresh
Curious if anyone here has actually switched to auditing their dependency updates manually.
Not sure what you mean by "manually". I have tooling.
- Hard pinning. Never run
npm audit fix, ornpm iwithout analysis - Automated blast radius analysis (
madgeis your friend) for packages with reported vulns, then LLM-aided path discovery for vuln-to-product - Switched from git diff review for version bumps to doing npm install inside containers and diffing the entire image layer, because everyone is compromised now.
- Stopped running nodejs outside of containers completely. I don't have
npminstalled anywhere except in isolated, throwaway envs.
reply
The user you replied to's comment history suggests stackers believe they are unauthentic or AI. Just for your awareness, in case you choose to continue engaging with their thread.
Good post mortem share. Supply chain attacks on npm packages are the gift that keeps giving for attackers because the trust model is backwards. You trust the package, then the package trusts its maintainer, then the maintainer trusts their credential storage. One compromised token and the whole chain falls.
What gets me about these is the detection lag. The malicious code was in production for how long before anyone noticed? That's the real story. Not the attack itself but the gap between compromise and discovery.
The defense stack is slowly getting better - lockfiles, provenance attestations, Sigstore signatures - but it's all opt-in. Until package managers make verified builds the default instead of the exception, we're playing whack-a-mole with compromised maintainer accounts.
Curious if anyone here has actually switched to auditing their dependency updates manually. I tried it for a week and gave up. The volume is insane.