codeinabox@programming.dev to Programming@programming.devEnglish · 1 day agoEvery dependency you add is a supply chain attack waiting to happenbenhoyt.comexternal-linkmessage-square12linkfedilinkarrow-up1123arrow-down10cross-posted to: [email protected]
arrow-up1123arrow-down1external-linkEvery dependency you add is a supply chain attack waiting to happenbenhoyt.comcodeinabox@programming.dev to Programming@programming.devEnglish · 1 day agomessage-square12linkfedilinkcross-posted to: [email protected]
minus-squareEager EaglelinkfedilinkEnglisharrow-up39·1 day ago You should probably turn off Dependabot Nonsense, most of these supply chain attacks are detected and have their problematic versions pulled within a few hours. Just set a cooldown period for dependabot.
Nonsense, most of these supply chain attacks are detected and have their problematic versions pulled within a few hours. Just set a cooldown period for dependabot.
The discovered ones anyway.
Newer is not often better.