The other story today about Red hat’s npm packages being compromised told me this is worth sharing.
It’s a quick guide to setting up dependency cooldowns in a long list of package managers (like npm).
Dependency cooldown is when you install only versions of a package that were not posted recently. The site says almost all of these exploited package releases are caught within 2 weeks. If you only install package versions that are older than 2 weeks you will avoid almost all of these attacks.
I find it funny that they tell you how to setup dependency cooldowns inside container images (cooldowns.dev), but they don’t even mention cooldowns for container image updates, which could contain malware. As usual, the container community (mainly Docker) are idiots when it comes to regular updates and security.
The other story today about [Red hat’s npm packages being compromised](https://poal.co/s/cybersecurity/804123) told me this is worth sharing.
It’s a quick guide to setting up dependency cooldowns in a long list of package managers (like npm).
Dependency cooldown is when you install only versions of a package that were not posted recently. The site says almost all of these exploited package releases are caught within 2 weeks. If you only install package versions that are older than 2 weeks you will avoid almost all of these attacks.
I find it funny that they tell you how to setup dependency cooldowns [inside container images](https://cooldowns.dev/#container-images), but they don’t even mention cooldowns for container image updates, which could contain malware. As usual, the container community (mainly Docker) are idiots when it comes to regular updates and security.
Login or register