[RKearney]

Wasn't SolarWinds compromised for 6+ months? 7 days doesn't sound like enough time. Although maybe that's not a good comparison as this was open source and SolarWinds is closed source.

I remember watching a Walmart talk on Node.js and how they vet every single update to every single module before they pull it into their internal repository for internal distribution. Perhaps the answer is to stop blinding pulling down dependancies from the internet?

[kadoban]

It's also about threat models, who you're trying to realistically protect yourself from. Some solo idiot with a political cause, not particularly targetting you? Waiting a week before using a new version is probably good enough. A government specifically targetting you? Likely nowhere near good enough. There's a lot in between of course.

[41b696ef1113]

>...Walmart talk on Node.js and how they vet every single update to every single module...

Most organizations are not as big as Walmart?

However, if the Walmarts/FANGS/etc with huge mega teams would publish their audited versions, that would be something. However, that seems like a liability without any potential gain for the mega teams.