[prdonahue]

> Anyone know of a better way to protect yourself than setting a min release age on npm/pnpm/yarn/bun/uv (and anything else that supports it)?

Most of these attacks don't make it into the upstream source, so solutions[1] that build from source get you ~98% of the way there. If you can't get a from-source build vs. pulling directly from the registries, can reduce risk somewhat with a cooldown period.

For the long tail of stuff that makes it into GitHub, you need to do some combination of heuristics on the commits/maintainers and AI-driven analysis of the code change itself. Typically run that and then flag for human review.

[1] Here's the only one I know that builds everything from source: https://www.chainguard.dev/libraries

(Disclaimer: I work there.)

[schnatterer]

Can you give some examples for the claim that most of the attacks don't make it upstream? My gut tells me that, yes, mostly binaries have been compromised. But I am sure you have some real-world examples proving the point.

[eranation]

Build from source is a great idea, I assume you provide SLSA/sigstore like provenance as well?

[arianvanp]

The chainguard folks built sigstore :)

[eranation]

Yep yep, hence the ask, expected for containers, wondering if also for build from source.