-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
https://github.com/pypa/pypi-support/issues/923
"The package only contains __init__.py file, that says:
# the purpose is to make everyone pay attention to software supply chain attacks, because the risks are too great."
https://github.com/cupy/cupy/issues/4787
Salient points being that cupy releases a new named package for each cuda version, so future package names are of course predictable. Since PyPi doesn’t allow namespacing, cupy’s plan is to register new names ASAP when cuda releases a new version and monitor and report other packages purporting to be cupy that get uploaded.
> Not sure how we could fix it without slowing way down and doing a lot more work.
You restrict what your dependencies can do in the first place, so that if they're malicious (or just buggy the) scope of what they can do is limited. This doesn't eliminate the risk entirely; after all, it's possible for a library to introduce vulnerabilities just by doing its job incorrectly; but it massively limits the scope of what you'd need to audit. Right now, any dependency can do anything, so you'd need to audit all of them.
See POLA Would Have Prevented the Event-Stream Incident[0] for more explanation and LavaMoat[1] for an example of tooling that's trying to tackle this problem.
[0] https://medium.com/agoric/pola-would-have-prevented-the-even...
[1] https://github.com/LavaMoat/lavamoat