Categories


Archives


Recent Posts


Categories


Security Researchers Notice Software Packages Typically don’t Have Canonical Names Across Private Repositories

astorm

Frustrated by Magento? Then you’ll love Commerce Bug, the must have debugging extension for anyone using Magento. Whether you’re just starting out or you’re a seasoned pro, Commerce Bug will save you and your team hours everyday. Grab a copy and start working with Magento instead of against it.

Updated for Magento 2! No Frills Magento Layout is the only Magento front end book you'll ever need. Get your copy today!

It looks like security researchers have noticed that open source software package repositories are sort of bad at package name resolution, and that it’s relatively easy to slip a shady package into the public dependency chain when folks are publishing code in the open that references private packages.

So that’s me checking off another item on my “things that have always bothered me but industry practice is to shrug” list.

Also I didn’t see composer mentioned so there may still be bounties to reap from Adobe given Magento’s “every user has their own private packagist repository” thing.

Copyright © Alan Storm 1975 – 2021 All Rights Reserved

Originally Posted: 13th February 2021