Implement Countermeasures to "dependency confusion" in repositories

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

This mitigates "dependency confusion" issues in GitLab hosted private repositories.

Problem to solve

Recent publications revealed the problem of "dependency confusion". See for example:

• https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
• https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Sonatype published a script to scan for this in repositories to find name clashes:

• https://github.com/sonatype-nexus-community/repo-diff

Similar countermeasures should be considered by GitLab.

Intended users

I think these would be concerned:

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)
• Simone (Software Engineer in Test)
• Priyanka (Platform Engineer)

User experience goal

• I would get notified if an default, public package would collide with my private packages

Proposal

Further details

Permissions and Security

Documentation

Availability & Testing

Available Tier

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references