Logo with infinity symbol on it.

Anant's Social Feed

Anant Shrivastava aka anantshri . @anant,

This is nice https://giraffesecurity.dev/posts/dependabot-confusion/

TL;DR: if you have internal package name for npm package and someone goes ahead and registers the package in public repo dependabot use to get confused and raise a request to map repo to public npm module.

This is not new #DependencyConfusion has been in wild for some time https://www.csoonline.com/article/3609779/dependency-confusion-explained-another-risk-when-using-open-source-repositories.html and more are there.

#supplyChain #Dependency #appsec

Open thread