Reading up on supply-chain-security
6 deep · digging since jan 02
- .gitignore Isn't the only way to ignore files in Git
The article explores alternative Git ignore mechanisms beyond .gitignore, including .gitattributes for diff suppression and local exclude files, while sparking debate on reviewing lockfile diffs.
- How to Evaluate an npm Package - 2026 Edition
A practical checklist for evaluating npm packages in 2026 covering security, maintenance, provenance, CI quality, and incident response to make informed dependency decisions.
- {{IW4QaZoc2}}
Perplexity open-sources Bumblebee, a read-only scanner that checks developer machines for risky packages, extensions, and AI tool configs during supply-chain incidents.
- GitHub Actions is the weakest link
GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.
- Package Managers Need to Cool Down
A survey finds that while many package managers and update tools have adopted dependency cooldowns to prevent supply chain attacks, implementations vary wildly in naming, scope, and timestamp handling, and major ecosystems like Go, Maven, and Gradle still lack support.
- Cursed Bundler: Using go get to install Ruby Gems
Go's module proxy and transparency log can be repurposed to fetch and verify Ruby gems with better integrity guarantees than RubyGems itself.