Safety

Npm Slop & Wonky Software Supply Chains

npm and pip registries lack provenance verification for uploaded bundles, creating exploitable supply chain vulnerabilities that source-reproducible builds cannot practically mitigate.

Sunday, April 26, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline

npm and pip package registries rely on unreproducible developer-uploaded bundles without provenance verification, creating exploitable supply chain vulnerabilities. The article analyzes why source-reproducible builds are impractical (npm has no reliable source path; pip's requirement for source publication fails for packages with native binaries like PyTorch). A Dependency Explorer tool helps developers audit transitive dependencies.

Read original at Lobsters

Cybersec is a thankless job: expanding workload and shrinking pay packet

Cybersecurity's broken incentive structure: 77% of UK security pros got zero raises in 2025 despite record demand and AI-accelerated threats, as leadership systematically undervalues successful security teams.