Comment by prdonahue

20 hours ago

> Anyone know of a better way to protect yourself than setting a min release age on npm/pnpm/yarn/bun/uv (and anything else that supports it)?

Most of these attacks don't make it into the upstream source, so solutions[1] that build from source get you ~98% of the way there. If you can't get a from-source build vs. pulling directly from the registries, can reduce risk somewhat with a cooldown period.

For the long tail of stuff that makes it into GitHub, you need to do some combination of heuristics on the commits/maintainers and AI-driven analysis of the code change itself. Typically run that and then flag for human review.

[1] Here's the only one I know that builds everything from source: https://www.chainguard.dev/libraries

(Disclaimer: I work there.)

3 comments

prdonahue

eranation 19 hours ago

Build from source is a great idea, I assume you provide SLSA/sigstore like provenance as well?

arianvanp 19 hours ago
The chainguard folks built sigstore :)
- eranation 10 hours ago
  
  Yep yep, hence the ask, expected for containers, wondering if also for build from source.