Dependency Confusion Attack - Dub affected?
schveiguy at gmail.com
Fri Feb 12 20:48:31 UTC 2021
On 2/11/21 8:05 AM, Jacob Carlborg wrote:
> I recently read this  interesting article. Would Dub affected by
> this? Based on what I could find in the Dub documentation, it looks like
> Dub would **not** be affected. According to the documentation Dub will
> try custom registers first, is that correct?
This is very interesting. There are many reasons to have alternate
repositories for dependency management.
It would seem to me that the most logical way to fix this vulnerability
is to specify in your dub config that all packages that start with
"xyz_" or whatnot should only ever come from an internal server.
Perhaps a dependency can have a server prefix, and then if you don't
have that server in your dub config, it errors. This way, your build
system would have to opt in to finding those packages elsewhere.
More information about the Digitalmars-d