#package-managers

[ follow ]
#linux #javascript-ecosystem #supply-chain-vulnerabilities #remote-code-execution #supply-chain-security
Information security
fromSecurityWeek
1 week ago

'PackageGate' Flaws Open JavaScript Ecosystem to Supply Chain Attacks

Six vulnerabilities in major JavaScript package managers (NPM, PNPM, VLT, Bun) allow bypassing supply chain protections and enable remote code execution.
fromInfoWorld
1 week ago

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn't match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.
Information security
Python
fromRealpython
2 weeks ago

uv vs pip: Python Packaging and Dependency Management - Real Python

Choose pip for broad compatibility and ecosystem support; choose uv for faster installs, reproducible environments, cleaner uninstalls, and streamlined new-project workflows.
#linux
fromZDNET
1 month ago
Software development

I've tried nearly every Linux package manager - these remain my favorite

fromZDNET
6 months ago
Software development

Installing apps on Linux? 4 ways it's different than any other OS - and mistakes to avoid

fromZDNET
1 month ago
Software development

I've tried nearly every Linux package manager - these remain my favorite

fromZDNET
6 months ago
Software development

Installing apps on Linux? 4 ways it's different than any other OS - and mistakes to avoid

more#linux
Software development
fromInfoWorld
4 months ago

Open source registries signal shift toward paid models as AI strains infrastructure

Donation-based funding for major open-source package registries is dangerously fragile and may lead to changes in access, pricing, or service levels for high-volume commercial users.
[ Load more ]