I mean, modern package managers generally now come with lock files, which effectively auto-pin your dependencies, until you trigger a dependency update.
And while it isn’t bullet-proof, it does result in you effectively having a dependency cooldown most of the time. You’re only vulnerable, if you trigger the dependency update while the compromised dependency release is public.
Obviously, this can be bad enough, but it does also mean that an ecosystem with lock files is far less attractive to target with a supply-chain attack, since far fewer hosts will get compromised on average.
I mean, modern package managers generally now come with lock files, which effectively auto-pin your dependencies, until you trigger a dependency update.
And while it isn’t bullet-proof, it does result in you effectively having a dependency cooldown most of the time. You’re only vulnerable, if you trigger the dependency update while the compromised dependency release is public.
Obviously, this can be bad enough, but it does also mean that an ecosystem with lock files is far less attractive to target with a supply-chain attack, since far fewer hosts will get compromised on average.