Our great sponsors
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
Here is some code on GitHub that does call site checking using SemGrep: https://github.com/lunasec-io/lunasec/blob/master/lunatrace/...
(Note: I helped write that. We're building a similar service to the r2c one.)
You're right that patching is hard because of opaque package diffs. I've seen some tools coming out like Socket.dev which show a diff between versions. https://socket.dev/npm/package/react/versions
But, that said, this is still a hard problem to solve and it's happened before that malware[0][1] has been silently shipped because of how opaque packages are.
0: https://web.archive.org/web/20201221173112/https://github.co...
1: https://www.coindesk.com/markets/2018/11/27/fake-developer-s...
Related posts
- Guys, I taught ChatGPT to browse the internet and it is bloody amazing.
- Malicious Python Packages Replace Crypto Addresses in Developer Clipboards
- Ask HN: How do you deploy your weekend project in 2022?
- Cdk8s: CNCF-Backed Infrastructure-as-Code (IaC) for Kubernetes
- How to support open-source software and stay sane