Use the Dependency Firewall to flag suspicious packages downloaded from npmjs.org
Problem to solve
Many projects depend on packages that may come from unknown or unverified providers, introducing potential security vulnerabilities. When fetching packages from external registries, it is important to understand if they have recently been updated under suspicious circumstances.
This occurred recently when a Bitcoin currency stealer was included in over 700 Ruby packages.
Intended users
Further details
Proposal
When using GitLab Premium or Ultimate and an npm package is pulled from npmjs.com, flag, and alert users about any packages that have recently had the author name or email updated to ensure that users are aware of any suspicious changes.
Permissions and Security
- There are no permissions changes required for this change
Documentation
Availability & Testing
What does success look like, and how can we measure that?
Success looks like we help our users prevent malicious packages from external registries from entering their codebase.
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by Tim Rizzi