MichaelSun90
commented
6 months ago Thanks for the explanation and background information! will spend some time on catching up on the background readings.
Open elliot-huffman opened 6 months ago
MichaelSun90
commented
6 months ago Thanks for the explanation and background information! will spend some time on catching up on the background readings.
Is your feature request related to a problem? If so, please give a short summary of the problem and how the feature would resolve it Having a supply chain analysis solution to identify potential supply chain attacks is now more important than ever with attacks like the recent attempted XZ attack. Because of this, we need to up our defenses against nation state threat actors attacking us directly or through our dependencies. This project is a larger one with ~1.4million downloads a week. A threat actor would love to breach this.
Describe the preferred solution Integrate https://socket.dev/ into this project. Socket is free for open-source projects, like this one :) I would make a PR for this, but it runs as a GitHub App/bot, and I don't have the permissions to turn it on.
Describe alternatives you've considered Getting hacked eventually, lol
Additional context https://en.wikipedia.org/wiki/XZ_Utils_backdoor https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/ https://socket.dev/npm/package/tedious
Reference Documentations/Specifications https://docs.socket.dev/docs/getting-started https://socket.dev/features/github