new | ask | show | jobs
insanitybit 15 hours ago  [ - ]

Just some suggestions:

1. Dependency cooldowns of 1-2 days seem to be extremely effective without negatively impacting your ability to patch for CVEs.

2. Anywhere you have `npm install` or `npm test` or anything where code executes, that should happen in an environment that has no privileges. In your github actions you can do this semi-straightforwardly by using two separate jobs - one to build the artifacts and test them, another to do any sort of publishing, signing, etc. If you use AI, add a skill / guidance to enforce this pattern.

3. If you use Github Actions, install the latest version of zizmor. It will significantly improve your posture.

(2) means that you are no longer "wormable", which is a massive part of the problem that we have today. (1) gives companies more time to respond to the attacks.

There are some vendors in this space that you can and should evaluate as well.

pixl97 13 hours ago  [ - ]

>install the latest version of zizmor.

What if it gets compromised?

More of a joke. But was funny after saying that new packages should be delayed.

insanitybit 13 hours ago  [ - ]

lol yeah I thought of that as typing but figured I'd avoid the complexity. "latest version" means, give or take, whichever the latest one was that contained a bunch of new rules around supply chain stuff.

spockz 13 hours ago  [ - ]

Should we instead of these cooldowns just run builds in isolated contexts?

I’m running a maven proxy locally. All builds happen inside containers. I only use public repos for python, npm, and go. So these builds happen also in containers but don’t need a repository proxy.

insanitybit 12 hours ago  [ - ]

> Should we instead of these cooldowns just run builds in isolated contexts?

I'd suggest both. Cooldown for 1-2 days is very cheap and you likely won't even notice it, so it's quite harmless and from what I've seen even just 24 hours is enough to let security companies pick up malware.

But yeah, isolation is a must-have.

spockz 12 hours ago  [ - ]

At this point, is there an obligation of package managers, or at least npm to arrange the sandboxing themselves?

Or as us or companies to wrap the build tools to provide the wrapping for them.

insanitybit 11 hours ago  [ - ]

Oh, absolutely they should do that.

tmpz22 14 hours ago  [ - ]

> anything where code executes

ALL the agentic orchestrators like codex, claude-code, etc. seem to do this by default.

ffemac 8 hours ago  [ - ]

Exactly, popular AI coding harness (OpenCode/KiloCode) downloads random npm packages in the background without you knowing. What's worse is the devs don't care.