Open source software has its perks, but supply chain risks can't be ignoredĪboukhadijeh said that the average npm package has 79 transitive dependencies, so installing one is likely to bring dozens of additional packages along for the ride.Microsoft Azure developers targeted by 200-plus data-stealing npm packages.Google debuts OSV-Scanner – a Go tool for finding security holes in open source.This JavaScript scanner hunts down malware in libraries.According to Aboukhadijeh, Socket has seen more than 200 packages removed just in the past 30 days. The reason cause for this concern is that JavaScript packages distributed via npm can be compromised. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."
"So by removing a package you might actually change what the ideal tree is. "npm creates what is called the 'ideal tree' for a given package.json," Feross Aboukhadijeh, told The Register. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. Ring in some changesīut Socket's scanner is also now available as a CLI that developers can install on their machines. It catches more issues than npm audit – covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns.
Its scanner runs as a GitHub app on code repositories when changes are made. Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects.
0 kommentar(er)
