(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

1. zubilent ◴[08 Sep 25 18:11 UTC] No.45171761[source]▶

Is the npm package ecosystem fixable at this point? It seems to be flawed by design.

Is there a way to not accept any package version less than X months old? It's not ideal because malicious changes may still have gone undetected in that time span.

Time to deploy AI to automatically inspect packages for suspect changes.

replies(1): >>45174219 #

2. mattstir ◴[08 Sep 25 21:26 UTC] No.45174219[source]▶

>>45171761 (TP) #

It's a tricky thing because what if the update fixes a critical vulnerability? Then you'd be stuck on the exploitable version for X months longer

↑

NPM debug and chalk packages compromised