(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

dist-epoch ◴[08 Sep 25 16:09 UTC] No.45170028[source]▶

Given that most of these kind of attacks are detected relatively quickly, NPM should implement a feature where it doesn't install/upgrade packages newer than 3 days, and just use the previous version.

replies(3): >>45170138 #>>45170232 #>>45170382 #

1. jowea ◴[08 Sep 25 16:23 UTC] No.45170232[source]▶

>>45170028 #

What if the latest patch is (claiming to be) a security fix? Then that's 3 days of more insecurity.

↑

NPM debug and chalk packages compromised