|
|
|
|
|
|
by ashishbijlani
886 days ago
|
|
|
> For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you. I'm taking a stab at addressing this problem with Packj [1]. It carries out static/dynamic/metadata analysis to look for "suspicious” attributes such as spawning of shell, invalid/expired email (i.e., no 2FA), use of files, network communication, use of decode+eval, mismatch of GitHub code vs packaged code, and several more. 1. https://github.com/ossillate-inc/packj |
|
|