dependency management
4 posts
Article
Nobody checked what came back
The idTech build did not fail. It resolved a version reference exactly as designed, treating a source's identity as proof of its content's integrity.
Article
A name is not trust
Package registries resolve a name to an artifact, not a source. When the party behind a trusted name changes, the system inherits trust it cannot verify.
Article
npm v12 flips the breaker on silent installs
npm v12 deprecates older versions and hardens security defaults. What the moved enforcement points expose and what must be true before the release lands.
Article
How Trust in Open-Source Updates Becomes a Systemic Failure Mode
A structural analysis of how trust in open-source updates becomes exploitable when systems assume past safety implies future safety, using the Trivy compromise as a case study.