Comment by datsci_est_2015
2 months ago
Leaves you open to vulnerabilities in overnight builds of NPM packages that increasingly happen due to LLM slop?
2 months ago
Leaves you open to vulnerabilities in overnight builds of NPM packages that increasingly happen due to LLM slop?
You can set a minimum age for packages (https://docs.github.com/en/code-security/reference/supply-ch...), though that's not perfect (and becomes less effective if everyone uses it).
> becomes less effective if everyone uses it
I don’t think that’s necessarily the case. Exposure and discovery aren’t that tightly correlated. Maybe there’s a small effect, but I think it is outweighed by the fact that blast radius and spread is reduced while buying time for discovery.