qaz@lemmy.world to Selfhosted@lemmy.worldEnglish · 2 个月前Axios JavaScript library has been compromised with malware in supply chain attackgithub.comexternal-linkmessage-square12linkfedilinkarrow-up1230arrow-down10cross-posted to: opensource@lemmy.ml
arrow-up1230arrow-down1external-linkAxios JavaScript library has been compromised with malware in supply chain attackgithub.comqaz@lemmy.world to Selfhosted@lemmy.worldEnglish · 2 个月前message-square12linkfedilinkcross-posted to: opensource@lemmy.ml
minus-squarePetteriPano@lemmy.worldlinkfedilinkEnglisharrow-up39arrow-down2·2 个月前It’s a good way to keep the exploit around for seven days, too, if you apply it right away.
minus-squaretaco_shale032@lemmy.mllinkfedilinkEnglisharrow-up8·2 个月前I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.
minus-squareEskuero@lemmy.fromshado.wslinkfedilinkEnglisharrow-up11·2 个月前As long as the bot is not allowed to automatically merge minor version bumps in libraries…
minus-squaremagikmw@piefed.sociallinkfedilinkEnglisharrow-up3·2 个月前Well yes, one can misuse any tool.
minus-squareEskuero@lemmy.fromshado.wslinkfedilinkEnglisharrow-up2·2 个月前How? If you got hit by this you are looking at restoring the system from a safe previous version. And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version…
It’s a good way to keep the exploit around for seven days, too, if you apply it right away.
I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.
As long as the bot is not allowed to automatically merge minor version bumps in libraries…
Well yes, one can misuse any tool.
How? If you got hit by this you are looking at restoring the system from a safe previous version.
And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version…