undefined | Better HN

0 pointsbakugo1mo ago0 comments

I highly recommend enforcing a minimum dependency release age of at least a week across all package managers used at your workplace. Most package managers support it now, and it will save you from the vast majority of these attacks.

https://news.ycombinator.com/item?id=47582632

0 comments

2 comments · 1 top-level

AgentME1mo ago· 1 in thread

Highly recommend using the minimum release age setting, though I think a week is probably overkill. Did any of the recent supply-chain attacks have a malicious version up for more than a day?

bakugoOP1mo ago

Maybe not, but how much of that was luck? I think it's only a matter of time until a similar compromise happens but nobody notices it for a few days, better safe than sorry.

j / k navigate · click thread line to collapse