TECH NEWS

Sniff out stale AI override advice with this open source CLI

https://image.theregister.com/261937.jpg?imageId=261937&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

Package dependencies can create vulnerabilities that are fiendishly hard to find and stamp out

The JavaScript development ecosystem may be a security nightmare, but it's also ripe for improvement.

One such tool is the CVE Lite CLI, a free open source dependency scanner that helps reduce the risk of software supply chain attacks. It runs locally and provides actionable vulnerability fixes, if any are available.

The tool, endorsed by OWASP, has recently been updated to include override auditing, which has the potential to avert transitive dependency vulnerabilities such as the March 2022 node-ipc package incident.

The Shai-hulud software supply chain attacks that have been vexing security professionals for the pastfewmonths underscore how common it has become for threat actors to target the developer ecosystem, including CI/CD, package registries, and developer tooling.

Software developers can reduce their risk by making sure the dependencies in their apps are...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE

Read more