Preventing supply chain attacks #22
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Most supply chain attacks are discovered quickly. Add a Boolean feature flag and integer value (days) that can be set per remote. The purpose being that the request should be denied if the immutable object (typically the package we request from npm, pypi, etc) is less than days old.
The 404 message should include why it was blocked.
If we can skip using the newest releases for x days we can skip supply chain attacks that are discovered fast as they are typically removed when found.