We should all be using dependency cooldowns
a day ago
- #supply-chain-security
- #dependency-management
- #open-source
- Dependency cooldowns are a free and effective way to mitigate open source supply chain attacks.
- Most supply chain attacks have a short window of opportunity (often under a week).
- Cooldowns delay the adoption of new dependencies, allowing time for vulnerabilities to be detected.
- Implementing cooldowns is easy with tools like Dependabot and Renovate.
- Cooldowns can prevent 80-90% of supply chain attacks with minimal effort.
- Package managers should integrate cooldown features natively for better security.
- Supply chain security is a social trust problem, not just a technical one.