Dependency Confusion Attack - Dub affected?

Andre Pany andre at
Thu Feb 11 14:01:38 UTC 2021

On Thursday, 11 February 2021 at 13:05:33 UTC, Jacob Carlborg 
> I recently read this [1] interesting article. Would Dub 
> affected by this? Based on what I could find in the Dub 
> documentation, it looks like Dub would **not** be affected. 
> According to the documentation Dub will try custom registers 
> first, is that correct?
> [1] 
> --
> /Jacob Carlborg

It is a good practice for companies to have all dub packages 
mirrored to an internal dub registry / maven repository and let 
the dub clients only connect to this internal registry.

In addition to security aspects, you can build your software even 
without an internet connection.

Kind regards

More information about the Digitalmars-d mailing list