qaz@lemmy.world to Selfhosted@lemmy.worldEnglish · 11 hours agoAxios JavaScript library has been compromised with malware in supply chain attackgithub.comexternal-linkmessage-square8linkfedilinkarrow-up1156arrow-down10
arrow-up1156arrow-down1external-linkAxios JavaScript library has been compromised with malware in supply chain attackgithub.comqaz@lemmy.world to Selfhosted@lemmy.worldEnglish · 11 hours agomessage-square8linkfedilink
minus-squareEskuero@lemmy.fromshado.wslinkfedilinkEnglisharrow-up19·edit-26 hours agoYou can mitigate similar attacks by editing your .npmrc min-release-age=7 # days ignore-scripts=true
minus-squarePetteriPano@lemmy.worldlinkfedilinkEnglisharrow-up22arrow-down2·6 hours agoIt’s a good way to keep the exploit around for seven days, too, if you apply it right away.
minus-squaretaco_shale032@lemmy.mllinkfedilinkEnglisharrow-up5·6 hours agoI agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.
minus-squareEskuero@lemmy.fromshado.wslinkfedilinkEnglisharrow-up7·6 hours agoAs long as the bot is not allowed to automatically merge minor version bumps in libraries…
minus-squaremagikmw@piefed.sociallinkfedilinkEnglisharrow-up2·2 hours agoWell yes, one can misuse any tool.
You can mitigate similar attacks by editing your .npmrc
min-release-age=7 # days ignore-scripts=trueIt’s a good way to keep the exploit around for seven days, too, if you apply it right away.
I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.
As long as the bot is not allowed to automatically merge minor version bumps in libraries…
Well yes, one can misuse any tool.