|
|
|
|
|
|
by jamesdepp
1161 days ago
|
|
|
I feel like this is a major design flaw in the package managers being used. If people have to squat package names to mitigate the chances of a dependency confusion attack, then the package manager/package repository needs to find a better solution. I think this is something GoLang does a great job at. To use a package, you have to specify the exact URL of the repo. This mitigates the risk of dependency confusion since an attacker would need control over the domain to upload a conflicting package. |
|
|