Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think the cooldown approach would make this type of attack have practically no impact anymore, if nobody ever updates to a newly published package version until, say, 2-3 days have gone by, surely there will be enough time for owner of the package to notice he got pwnd.


Renovate Bot has this setting.

https://docs.renovatebot.com/configuration-options/#minimumr...


I've never heard of this. It sounds like a solid default to me. If you _really_ need an update you can override it, but it should remain the default and not allow opting out.


We (Renovate maintainers) are also making this an inbuilt "best practice" that users who already opt into using the `config:best-practices` preset will start getting for free!

https://github.com/renovatebot/renovate/pull/37967


https://github.com/pnpm/pnpm/issues/9921


the funny thing about this is if everyone has the same cooldown, aren’t we back in the same boat?

sure there are other ways for the package maintainer to notice they were pwned, but often they will not notice.


The cool down isn't for end users. It is for package maintainers and scanners.


What about cases when the update fixes a security issue? Anybody using this approach would be a target for a few more days.


I know it sounds preposterous but there there are more ways to apply patches than npm pull


Update package versions manually, you say? The audacity!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: