Dependency Confusion Attack - Dub affected?

Steven Schveighoffer schveiguy at
Fri Feb 12 20:48:31 UTC 2021

On 2/11/21 8:05 AM, Jacob Carlborg wrote:
> I recently read this [1] interesting article. Would Dub affected by 
> this? Based on what I could find in the Dub documentation, it looks like 
> Dub would **not** be affected. According to the documentation Dub will 
> try custom registers first, is that correct?

This is very interesting. There are many reasons to have alternate 
repositories for dependency management.

It would seem to me that the most logical way to fix this vulnerability 
is to specify in your dub config that all packages that start with 
"xyz_" or whatnot should only ever come from an internal server.

Perhaps a dependency can have a server prefix, and then if you don't 
have that server in your dub config, it errors. This way, your build 
system would have to opt in to finding those packages elsewhere.


More information about the Digitalmars-d mailing list