undefined | Better HN

0 pointsshreddit8mo ago0 comments

“within hours” is at least one hour too late, and most likely multiple hours.

0 comments

Absolutely not. you get npm packages by pulling not them pushing them to you as soon as a new version exist. The likelyhood of you updating instantly is close to zero and if not, you should set your stuff up so that it is. Many ways to do that. Even better if compared to a month or two - which is how long it often takes for a researcher to find a carefully planted malware.

Anyway, the case where reactive tools (detections, warnings) don't catch it is why LavaMoat exists. It prevents whole classes of malware from working at runtime. The article (and repo) demonstrates that.

rs1868mo ago

Sure, it should never happen in CI environment. But I bet that every second, someone in the world is running "npm install" to bring in a new dependency to a new/existing project, and the impact of a malicious release can be broad very quickly. Vibe coding is not going to slow this down.

naugtur8mo ago

Vibe coding brings up the need for even more granular isolation. I'm on it ;)

LavaMoat Webpack Plugin will soom have the ability to treat parts of your app same as it currently treats packages - with isolation and policy limiting what they can do.

bavarianbob8mo ago

I've worked in software supply chain security for two years now and this is an extremely optimistic take. Nearly all organizations are not even remotely close to this level of responsiveness.

1 more reply

Cthulhu_8mo ago

Depends on whether they hold publishing to the main audience until said scan has finished.

j / k navigate · click thread line to collapse

0 comments

naugtur8mo ago

rs1868mo ago

naugtur8mo ago

Vibe coding brings up the need for even more granular isolation. I'm on it ;)

LavaMoat Webpack Plugin will soom have the ability to treat parts of your app same as it currently treats packages - with isolation and policy limiting what they can do.

bavarianbob8mo ago

I've worked in software supply chain security for two years now and this is an extremely optimistic take. Nearly all organizations are not even remotely close to this level of responsiveness.

1 more reply

Cthulhu_8mo ago

Depends on whether they hold publishing to the main audience until said scan has finished.

j / k navigate · click thread line to collapse