Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is there a tool that you can put between your npm client and npm web servers that serves package versions that are month old and possibly also tracks discovered malware and never serves infected versions?


Artifactory. Nexus. I believe AWS/GCP/Azure have offerings.

No bank, and almost no large corporations go directly to artifact/package repos. They all host them internally.


Yes, but the public npmjs repository also blocks our corporate IP addresses, so our CI/CD pipelines can't ruin npm for everybody else.


Artifactory works fairly well. Although admittedly, when a user grabs a new dependency, they're downloading from the npmjs registry like anyone else.

Really, the killer combo would be to have some kind of LLM-based tool that would scan someone's artifactory. Something smart enough to notice that code changed, and there's code for accessing a crypto-wallet, etc. This would be too expensive for npmjs to host for free, but I could see this happen to hosted artifactory dependencies.


I'm looking at Verdaccio currently, since Artifactory is expensive and I think the CE version still only supports C++. Does anyone have any experience with Verdaccio?


the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain


Something like this? https://jfrog.com/artifactory/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: