Comment by sspiff
24 days ago
It's wild that none of these are set by default.
I know 90% of people I've worked with will never know these options exist.
24 days ago
It's wild that none of these are set by default.
I know 90% of people I've worked with will never know these options exist.
That would likely mean same amount of people get the vulnerability, just 7 days later.
The compromised packages were removed from the registry within hours.
Because everyone got updates immediately. If the default was 7 days, almost no one would get updates immediately but after 7 days, and now someone only finds about after 7 days. Unless there is a poor soul checking packages as they are published that can alert the registry before 7 days pass, though I imagine very few do that and hence a dedicated attacker could influence them to not look too hard.
1 reply →
If everyone or a majority of people sets these options, then I think issues will simply be discovered later. So if other people run into them first, better for us, because then the issues have a chance of being fixed once our acceptable package/version age is reached.