Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Block recently published - Metadata filter ?
-
Hi we have some trouble to configure an npm feed
We have a ProGet Enterprise instance up and running
In addition to the standard malicious package blocking feature of ProGet,
for npm I have set a policy to block packages which are just recently published on npmjs in the last 24-48 hours.
This policy would prevent most malicious packages even entering our system before they get discovered.
See also: https://veln.sh/blog/mean-time-to-detection-malicious-npm for common detection timelinesWhy is only blocking discovered malicious packages not enough:
The standard malicious blocking from proget would only work after-the-fact when a package is officially detected as malicious, which also means, at that point they are also already removed online from the official repo. So that means this proget mechanism would only catch packages which were already used by us in builds/caches or dev environments which means we could already be compromised.So why it sounds good in theory to block new packages for at least a day, there are some operational issues with this.
Unfortunately ProGet does not remove blocked packages from the repository metadata (P.S. Competitor Sonatype paid version does: https://help.sonatype.com/en/policy-compliant-component-selection.html). Which means that dependencies (or sub-dependencies of dependencies deep in the dependency tree) with are defined by version range could still try to use a new dependency version which is blocked and then fail.This has already caused issues for our team causing errors consuming packages
How are others dealing with this ?
Are there plans to support metadata filtering for blocked packages ?