Can you please provide further details on the handling of malicious packages? The Inedo Security Labs site (https://security.inedo.com/vulnerability/malicious-packages) states:
Our research team is constantly monitoring these threats and evolving our detection methods to stay ahead of these attacks. Below is a list of packages that we're aware of and actively blocking in ProGet.
However I can't find the corresponding documentation for such a feature, only the following which covers vulnerable packages but does not mention malicious packages: https://docs.inedo.com/docs/proget/sca/vulnerabilities
Specifically, I'd like to know:
- What version of ProGet is required to block malicious packages?
- What configuration settings are needed to block malicious packages?
- Can a block be overridden?
- Is the malicious package list retrieved periodically and stored locally on the ProGet instance? If so, how often is this done and is this configurable?
- What visibility do we get when a malicious package is blocked?