|
|
|
|
|
|
by jiayo
1587 days ago
|
|
|
Another thing to consider is malicious packages being published. In the Node ecosystem, the last few times this has happened, the community reacts quickly with a speedy (<12h) un-publish, and the whole incident might be over before your development team wakes up in the morning. However, if you immediately and automatically build every single dependency upgrade on your CI systems, you are dramatically increasing your exposure. It's important to ensure your CI systems do not hold any important credentials, and are decoupled from your deployments. In a setup like this, at best, your source code may be stolen by one of these malicious packages. At worst, it will scrape for goodies such as `AWS_SECRET_ACCESS_KEY`. |
|
|