4254 shaares
4 results
tagged
DependencyHell
:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/70367267/acastro_180109_1777_0001_v1.0.jpg)
$ npm install faker@6.6.6
LIBERTY LIBERTY LIBERTY
Article complémentaire FR: https://www.01net.com/actualites/au-bout-du-rouleau-un-developpeur-sabote-ses-logiciels-open-source-2053434.html
Effectively find upstream & downstream dependencies of a Pypi package
More about it: https://blog.acolyer.org/2020/09/21/watchman/
Alt: https://github.com/DavHau/pypi-deps-db
libraries.io also provides this information, possibly less accurate
- Input injection
- Parsing XML
- Assert statements
- Timing attacks
- A polluted site-packages or import path
- Temporary files
- Using yaml.load
- Pickles
- Using the system Python runtime and not patching it
- Not patching your dependencies
A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.