"saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn't match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed."
"Those recommendations "became the standard advice everywhere from GitHub security guides to corporate policy docs" after November, says Yomtov, "because if malicious code can't run on install, and your dependency tree is pinned, you're covered." November's advice still valid, but more issues need addressing That advice is still valid, he added in an email interview. However, the vulnerabilities he discovered - dubbed PackageGate - that allow hackers to get around those two defenses have to be addressed by all platforms, he said."
Disabling lifecycle scripts and saving lockfile integrity checks to version control were recommended defenses against malicious dependencies. The lockfile records the exact version and integrity hash of every package in a dependency tree, and package managers check incoming packages against these hashes on install, failing when mismatches occur. Those measures became standard advice after November because preventing code execution on install and pinning the dependency tree provides strong protection. New vulnerabilities, dubbed PackageGate, can bypass those two defenses and therefore require fixes across platforms to restore supply-chain safety.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]