← Back to context Comment by sysguest 2 months ago well you know 100% know what dependabot does 3 comments sysguest Reply datsci_est_2015 2 months ago Leaves you open to vulnerabilities in overnight builds of NPM packages that increasingly happen due to LLM slop? __float 2 months ago You can set a minimum age for packages (https://docs.github.com/en/code-security/reference/supply-ch...), though that's not perfect (and becomes less effective if everyone uses it). catlifeonmars 2 months ago > becomes less effective if everyone uses itI don’t think that’s necessarily the case. Exposure and discovery aren’t that tightly correlated. Maybe there’s a small effect, but I think it is outweighed by the fact that blast radius and spread is reduced while buying time for discovery.
datsci_est_2015 2 months ago Leaves you open to vulnerabilities in overnight builds of NPM packages that increasingly happen due to LLM slop? __float 2 months ago You can set a minimum age for packages (https://docs.github.com/en/code-security/reference/supply-ch...), though that's not perfect (and becomes less effective if everyone uses it). catlifeonmars 2 months ago > becomes less effective if everyone uses itI don’t think that’s necessarily the case. Exposure and discovery aren’t that tightly correlated. Maybe there’s a small effect, but I think it is outweighed by the fact that blast radius and spread is reduced while buying time for discovery.
__float 2 months ago You can set a minimum age for packages (https://docs.github.com/en/code-security/reference/supply-ch...), though that's not perfect (and becomes less effective if everyone uses it). catlifeonmars 2 months ago > becomes less effective if everyone uses itI don’t think that’s necessarily the case. Exposure and discovery aren’t that tightly correlated. Maybe there’s a small effect, but I think it is outweighed by the fact that blast radius and spread is reduced while buying time for discovery.
catlifeonmars 2 months ago > becomes less effective if everyone uses itI don’t think that’s necessarily the case. Exposure and discovery aren’t that tightly correlated. Maybe there’s a small effect, but I think it is outweighed by the fact that blast radius and spread is reduced while buying time for discovery.
Leaves you open to vulnerabilities in overnight builds of NPM packages that increasingly happen due to LLM slop?
You can set a minimum age for packages (https://docs.github.com/en/code-security/reference/supply-ch...), though that's not perfect (and becomes less effective if everyone uses it).
> becomes less effective if everyone uses it
I don’t think that’s necessarily the case. Exposure and discovery aren’t that tightly correlated. Maybe there’s a small effect, but I think it is outweighed by the fact that blast radius and spread is reduced while buying time for discovery.