Brandon H  5h ago

via @dotnet : NuGet Package Pruning: Cleaner Dependencies and Actionable Vulnerability Reports

https://ift.tt/mUszAVv
#NuGet #PackagePruning #DotNet10 #DependencyManagement #VulnerabilityReports #TransitiveDependencies #FalsePositives #RestoreGraph #PrivateAsset…

NuGet Package Pruning: Cleaner Dependencies and Actionable Vulnerability Reports - .NET Blog

Package pruning in .NET 10 removes platform-provided packages from your dependency graph. With transitive auditing enabled by default, projects with these defaults have 70% fewer transitive vulnerability reports compared to projects using the previous defaults.

.NET Blog
github.com/ghostwriter5d ago

🚨 Critical Composer Update: 2.9.8 & 2.2.28 fix a GitHub Actions token disclosure!

⚠️ Update NOW or disable GitHub Actions immediately!

https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

#PHP #Composer #ComposerPHP #OpenSource #WebDevelopment #GitHubActions #DevSecOps #CyberSecurity #SoftwareUpdate #PatchRelease #DependencyManagement #SecurityFix #Programming #Packagist #PHPDev #ComposerUpdate #OpenSourceSoftware #WebDevLife #InfoSec #SecurityPatch #CodeSmart #DependencyManagement #SoftwareSecurity #TechUpdate

Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages

Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced a

Private Packagist
sayzard6d ago

Show HN: Inrepo – Pull upstream repos into your app without forks or submodules

inrepoλŠ” μ„œλΈŒλͺ¨λ“ˆμ΄λ‚˜ 포크 없이 μƒμœ„ μ €μž₯μ†Œμ˜ μ½”λ“œλ₯Ό 직접 ν”„λ‘œμ νŠΈμ— ν¬ν•¨μ‹œμΌœ 관리할 수 μžˆλŠ” CLI λ„κ΅¬μž…λ‹ˆλ‹€. Node.js 20+ ν™˜κ²½μ—μ„œ λ™μž‘ν•˜λ©°, upstream git 컀밋을 κ³ μ •ν•˜κ³  λ‘œμ»¬μ—μ„œ λ³€κ²½ 사항을 패치둜 관리해 μ½”λ“œ λ³€κ²½ 내역을 λͺ…ν™•νžˆ 좔적할 수 μžˆμŠ΅λ‹ˆλ‹€. CI ν™˜κ²½μ—μ„œ drift 검증도 κ°€λŠ₯ν•΄ νŒ¨ν‚€μ§€ μ˜μ‘΄μ„±μ˜ 투λͺ…μ„±κ³Ό μž¬ν˜„μ„±μ„ λ†’μ—¬μ€λ‹ˆλ‹€. νŒ¨ν‚€μ§€ λ§€λ‹ˆμ €μ˜ λΆˆμ•ˆμ •μ„±μ΄λ‚˜ λ³΄μ•ˆ μ΄μŠˆμ— λŒ€μ‘ν•˜κΈ° μœ„ν•œ μ‹€μš©μ μΈ λŒ€μ•ˆμœΌλ‘œ, κ°œλ°œμžλ“€μ΄ upstream μ½”λ“œλ₯Ό μ‰½κ²Œ κ²€μ‚¬ν•˜κ³  μˆ˜μ •ν•  수 μžˆλ„λ‘ λ•μŠ΅λ‹ˆλ‹€.

https://github.com/inthhq/inrepo

#nodejs #git #packagemanagement #cli #dependencymanagement

GitHub - inthhq/inrepo: Vendor the upstream repos directly into your app

Vendor the upstream repos directly into your app. Contribute to inthhq/inrepo development by creating an account on GitHub.

GitHub
sayzardMay 10

AI-powered NPM deprecation tracker with dependency tree Ghost Detection

StackGraveyard.devλŠ” npm νŒ¨ν‚€μ§€λ“€μ˜ 생쑴 μƒνƒœλ₯Ό AI 기반으둜 뢄석해 μœ„ν—˜ 점수λ₯Ό μ œκ³΅ν•˜λŠ” μ„œλΉ„μŠ€μž…λ‹ˆλ‹€. 155개 νŒ¨ν‚€μ§€μ˜ λ‹€μš΄λ‘œλ“œ 수, 컀밋 ν˜„ν™©, λ§ˆμ§€λ§‰ μ—…λ°μ΄νŠΈ 일자 등을 μ’…ν•©ν•΄ μœ„ν—˜λ„λ₯Ό 0μ—μ„œ 100κΉŒμ§€ ν‰κ°€ν•˜λ©°, μœ„ν—˜ μˆ˜μ€€μ— 따라 λ§ˆμ΄κ·Έλ ˆμ΄μ…˜ ν•„μš”μ„±μ„ μ•ˆλ‚΄ν•©λ‹ˆλ‹€. μ‚¬μš©μžλŠ” μžμ‹ μ˜ ν”„λ‘œμ νŠΈ μ˜μ‘΄μ„± 트리λ₯Ό μž…λ ₯ν•΄ μ¦‰μ‹œ μœ„ν—˜ λ³΄κ³ μ„œλ₯Ό λ°›κ³ , GitHub 배지λ₯Ό μƒμ„±ν•˜κ±°λ‚˜ κ²°κ³Όλ₯Ό μ†Œμ…œ 미디어에 κ³΅μœ ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” AIλ₯Ό ν™œμš©ν•œ νŒ¨ν‚€μ§€ μœ μ§€λ³΄μˆ˜ 및 λ³΄μ•ˆ 리슀크 관리 λ„κ΅¬λ‘œμ„œ, κ°œλ°œμžκ°€ μ˜μ‘΄μ„± 문제λ₯Ό 사전에 μΈμ§€ν•˜κ³  λŒ€μ‘ν•˜λŠ” 데 μœ μš©ν•©λ‹ˆλ‹€.

https://www.stackgraveyard.dev/

#npm #dependencymanagement #airiskanalysis #packagemaintenance #opensource

Stack Graveyard - npm Dependency Mortality Intelligence

Know which npm packages are dying before they take your project down. Track 85 dependencies with real-time risk analysis.

Stack Graveyard
sayzardMay 8

Stop Using Yarn Classic

Yarn Classic(1.x)은 κ³΅μ‹μ μœΌλ‘œ μœ μ§€λ³΄μˆ˜κ°€ μ€‘λ‹¨λ˜μ–΄ μƒˆλ‘œμš΄ κΈ°λŠ₯κ³Ό λ³΄μ•ˆ νŒ¨μΉ˜κ°€ μ œκ³΅λ˜μ§€ μ•ŠμœΌλ©°, 특히 μ·¨μ•½ν•œ 전이적(transitive) μ˜μ‘΄μ„± νŒ¨ν‚€μ§€μ˜ CVE νŒ¨μΉ˜κ°€ μ–΄λ ΅λ‹€. Yarn Berry(4.x)λŠ” 'yarn up --recursive' λͺ…λ Ήμ–΄λ‘œ 전이적 μ˜μ‘΄μ„±κΉŒμ§€ μ†μ‰½κ²Œ μ—…λ°μ΄νŠΈν•  수 μžˆμ–΄ λ³΄μ•ˆ 취약점 λŒ€μ‘μ΄ 훨씬 μš©μ΄ν•˜λ‹€. Yarn Classic μ‚¬μš©μžλŠ” Yarn Berry둜 λ§ˆμ΄κ·Έλ ˆμ΄μ…˜ν•˜κ±°λ‚˜, pnpm, Bun 같은 ν˜„λŒ€μ μΈ νŒ¨ν‚€μ§€ λ§€λ‹ˆμ €λ‘œ μ „ν™˜ν•˜λŠ” 것을 ꢌμž₯ν•œλ‹€. 이 글은 Yarn Classic의 ν•œκ³„μ™€ μ΅œμ‹  νŒ¨ν‚€μ§€ λ§€λ‹ˆμ €μ˜ μž₯점을 싀무 κ΄€μ μ—μ„œ μƒμ„Ένžˆ μ„€λͺ…ν•œλ‹€.

https://charpeni.com/blog/stop-using-yarn-classic

#yarn #packagemanagement #dependencymanagement #security #cve

Stop Using Yarn Classic | Nicolas Charpentier

Yarn Classic is frozen, and its lack of recursive transitive updates is becoming a real liability in an era where CVEs land weekly. It's time to move on.

Nicolas Charpentier
Florian SchmidtApr 10

RE: https://mastodon.social/@thehackerwire/116378857363756327

It's OpenClaw again. Which leads me to the question:
Has anyone built a tool that shows to "Vulnerability Timeline" of one and the same software (possibly also checking for renaming or CPE changes by company mergers)?
This could be useful for arguing for/against a package.
#Infosec #DependencyManagement #SoftwareSecurity

Sjoerd van LeentMar 16

Are you working with software dependencies in constrained environments? Then this might interest you:

I’ll give a lightning talk on how we approach practical license and vulnerability management when resources are limited. As Technical Solution Lead at Alliander I deal daily issues regarding licensing and security. I’ll talk about tooling, share key findings and insights.

Where & when to go?
Monday, March 23
13:15 CET
Amsterdam

#Ospology #DevOps #Security #OpenSource #DependencyManagement

N-gated Hacker NewsDec 20
Oh boy, another tool to generate and verify #lockfiles for GitHub Actions, because we all know life's too short to trust those pesky mutable tags. πŸ”’βœ¨ Let's spend our precious time pinning every single action to exact commit SHAs, because who doesn't love a good game of dependency whack-a-mole? πŸŽ―πŸ› οΈ
https://gh-actions-lockfile.net #GitHubActions #dependencyManagement #automation #tools #HackerNews #ngated
gh-actions-lockfile

Generate and verify lockfiles for GitHub Actions dependencies. Pin all actions to exact commit SHAs with integrity hashes.

David RuffnerDec 3

I am really enjoying the Pixi package manager, https://pixi.sh , made by @prefix. We have been using conda at my work for managing the dependencies of our python application. It involves scientific data analysis so there are lots of dependencies, and it has been a challenge to keep things up to date. Pixi has nice support for cleanly defining the direct dependencies in the pixi.toml file, and then it automatically generates a lock file. There is a command to upgrade all the dependencies too. It's amazing! I'm just starting to use it, but it is helpful so far.

#conda
#packageManagement
#pixi
#dependencyManagement

Redirecting

Jon FazzaroDec 1

"Cooldowns enforce positive behavior from supply chain security vendors: vendors are still incentivized to discover and report attacks quickly, but are not as incentivized to emit volumes of blogspam about 'critical' attacks on largely underfunded open source ecosystems."

#npm #supplychainattack #dependencymanagement

https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

We should all be using dependency cooldowns