Our great sponsors
-
packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
There are a few companies in this space that are trying to do the "Security Seal of Approval" thing to various degrees.
Tidelift is one company that has a bunch of "catalogs"[0] of packages. I'm not sure how their package metadata is generated though -- maybe semi-manually?
There is also Bytesafe[1] which is supposed to help give you a way to "firewall" yourself from unapproved dependencies. I don't think they sell data though. Just tools.
A company based on the Open Source project, packj[2], is Ossilate[3] which is trying to use automated analysis for analyzing 3rd party packages.
And another that's in this space is Socket.dev[4] which tries to warn you in your PRs about bad packages.
I know about this space because I work on a project[5] that's also related to supply chain security. It's a bit different from all of the above since we're focused on patching known vulns, but the idea of "vetted packages" has crossed my mind before.
Are there any other services in this space that I missed?
0: https://tidelift.com/solutions/catalogs
1: https://bytesafe.dev/
2: https://github.com/ossillate-inc/packj
3: https://ossillate.com/
4: https://socket.dev/
5: https://github.com/lunasec-io/lunasec/