RC RANDOM CHAOS

dependency management

4 posts

Nobody checked what came back
Article

Nobody checked what came back

The idTech build did not fail. It resolved a version reference exactly as designed, treating a source's identity as proof of its content's integrity.

A name is not trust
Article

A name is not trust

Package registries resolve a name to an artifact, not a source. When the party behind a trusted name changes, the system inherits trust it cannot verify.

npm v12 flips the breaker on silent installs
Article

npm v12 flips the breaker on silent installs

npm v12 deprecates older versions and hardens security defaults. What the moved enforcement points expose and what must be true before the release lands.

How Trust in Open-Source Updates Becomes a Systemic Failure Mode
Article

How Trust in Open-Source Updates Becomes a Systemic Failure Mode

A structural analysis of how trust in open-source updates becomes exploitable when systems assume past safety implies future safety, using the Trivy compromise as a case study.