undefined | Better HN

0 pointsWaterluvian8mo ago0 comments

I go to the repo and get a feel for how popular, how recent, and how active the project is. I then lock it and I only update dependencies annually or if I need to address a specific issue.

Risk gets managed, not eliminated. There is no one "correct" approach as risk is a sliding scale that depends on your project's risk appetite.

0 comments

2 comments · 2 top-level

sigmoid108mo ago

None of those methods are even remotely reliable for filtering out bad code. See e.g. this excellent write up on how many methods there are to infect popular repos and bypass common security approaches [1] (including Github "screening"). The only thing that works nowadays is sandbox, sandbox, sandbox. Assume everything may be compromised one day. The only way to prevent your entire company (or personal life) from being taken over is if that system was never connected to anything it didn't absolutely require for running. That includes network access. And regarding separation, even docker is not really safe [2]. VM separation is a bit better. Bare metal is best.

[1] https://david-gilbertson.medium.com/im-harvesting-credit-car...

[2] https://blog.qwertysecurity.com/Articles/blog3.html

2 more replies

franktankbank8mo ago

Popular, recent and active are each easily gameable no?

2 more replies

j / k navigate · click thread line to collapse