-
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
# Issue
During my research, I detected a _deleted package_ in this repository.
…
-
SLSA offers:
- A common vocabulary to talk about software supply chain security
- A way to secure your incoming supply chain by evaluating the trustworthiness of the artifacts you consume
- An ac…
-
### Describe the enhancement requested
For now this is more of a wishlist/discussion issue, but could grow into a more precise meta-task if we want to move forward.
There have been growing conce…
-
A user just suggested on email that we should add integrity tags to our assets.
I think it's a small change that would go a long way towards preventing some attacks. A bang-for-buck change.
Especial…
-
Our team wants to use prost for an ongoing project, however, we are concerned about the risk of bad changes making into the repository, introducing vulnerabilities into our project given how prevalent…
-
Dear web page owners,
I just wanted to let you know that when I'm browsing the internet, I usually use a JavaScript blocker extension called NoScript. I work in the field of quantum chemistry, and …
nom05 updated
4 months ago
-
Protect HyperPlay devs from supply chain attacks with @lavamoat/allow-scripts
Added to client here: https://github.com/HyperPlay-Gaming/hyperplay-desktop-client/pull/416
Reference: https://githu…
-
Crosswalk S2C2F with ["Taxonomy of Attacks on OSS Supply Chains" by Ladisa et al.](https://arxiv.org/abs/2204.04008) Perhaps we should use their terminology, or at least mention its alternative names.…
-
Reopening #2210 , as it was closed while completely ignoring the root of the request.
So let me be more explicit:
* Sign the list. There is no way to verify the integrity of it.
* #2210 was clo…
-
The package depends on the unmaintained "rc" package, recently [compromised](https://github.com/advisories/GHSA-g2q5-5433-rhrf) on npm.
It would be great if this dependency could be eliminated. At …