Preventing supply chain attacks #22

Closed
opened 2026-04-28 08:20:05 +10:00 by unkinben · 0 comments
Owner

Most supply chain attacks are discovered quickly. Add a Boolean feature flag and integer value (days) that can be set per remote. The purpose being that the request should be denied if the immutable object (typically the package we request from npm, pypi, etc) is less than days old.

The 404 message should include why it was blocked.

If we can skip using the newest releases for x days we can skip supply chain attacks that are discovered fast as they are typically removed when found.

Most supply chain attacks are discovered quickly. Add a Boolean feature flag and integer value (days) that can be set per remote. The purpose being that the request should be denied if the immutable object (typically the package we request from npm, pypi, etc) is less than <integer> days old. The 404 message should include why it was blocked. If we can skip using the newest releases for x days we can skip supply chain attacks that are discovered fast as they are typically removed when found.
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/artifactapi#22