daniel:// stenberg://Mar 2

Three years ago I blogged about #nuget serving outdated #curl packages.

They then removed the packages I found.

I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.

The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/

The curl nuget story

Recently there has been an interesting debate in the Open Source world where people have objected to being called "Suppliers" as in Supply Chain Security when you are but an Open Source developer offering your code to the world for free and at no cost but also without any warranties. That is not a supplier, … Continue reading The curl nuget story →

daniel.haxx.se
Show threadÖlbaum
@bagder That’s because they heard that “with JavaScript development, packages are outdated as soon as you install them,” so they wanted to do the same, but they didn’t understand it was a joke.
@poleguy
Mar 9 at 6:24pmWeb