Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is exactly to avoid this kind of issue that I decided to work on StableBuild. StableBuild pins and hosts a copy of your dependencies at a specific freeze date, so that your supply chain is never contaminated. This way, a compromised version published after your freeze date (even with the same version number!) would never reach your build.
 help



Literally every package manager already does this.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: