IanJempson

Software supply chain risk

Discussion created by IanJempson on Nov 28, 2018
Latest reply on Nov 28, 2018 by jrenfrew

A heads up about risk in the software dependency chain. With more people moving to using Node-JS for web enablement it's worth bearing in mind that you need to think about risk in the software supply chain. Particularly risks from NPM packages that you might not otherwise think about. The problem's not unique to NPM, but is also present with other package management systems such as Ruby gems or Pip or whatever people use with PHP. Does anyone still use PHP?

 

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week) • The Register

 

There are a couple of software services that mitigate the risk by reporting on issues in the dependency chain. Github and Gitlab have purchased companies that do that and Dependabot is still independent.

Outcomes