Hacker News new | ask | show | jobs
by mcintyre1994 268 days ago
Nice, but I think the config file is a much better implementation for protecting against supply chain attacks, particularly those targeting developers rather than runtime. You don’t want to rely on every developer passing a flag every time they install. This does suffer from the risk of using `npm install` instead of `pnpm install` though.

It would also be nice to have this as a flag so you can use it on projects that haven't configured it though, I wonder if that could be added too.
2 comments
ramses0 268 days ago
Just Minimum Version Selection in conjunction with "Minimum non-Vulnerable Version" (and this "--minAge") would do a lot, and effectively suss out a lot of poorly/casually maintained packages (eg: "finished" ones).

https://research.swtch.com/vgo-mvs#upgrade_timing

MVS makes tons of sense that you shouldn't randomly uptake "new" packages that haven't been "certified" by package maintainers in their own dependencies.

In the case of a vulnerable sub-dependency, you're effectively having to "do the work" to certify that PackageX is compatible with PackageY, and "--minAge" gives industry (and maintainers) time to scan before insta-pwning anyone who is unlucky that day.

link
cap11235 268 days ago
You can put the uv setting in pyproject.toml or uv.toml.
link
fainpul 268 days ago
But then you have to hardcode a timestamp, since this is not gonna work in uv.toml:

  exclude-newer = $(date -uv -14d '+%Y-%m-%dT%H:%M:%SZ')
link
mcintyre1994 268 days ago
Nice, supporting both definitely seems ideal.
link