Thanks for your work on the Mason package registry. While we have seen the Shai-Hulud supply chain worm, I wondered how this kind of attack would impact the Mason ecosystem. As far as I understand the situation, updates from upstream sources gets merged by rennovate immediately and without any further inspection. Since Mason does not implement any sandboxing (as I understand), supply chain attacks on upstream sources are going to hit developer systems directly.
To mitigate supply chain attacks, I suggest to add some grace period for new versions of source packages. https://docs.renovatebot.com/configuration-options/#minimumreleaseage This would add some response time, if attacks like Shai-Hulud emerges.
Thanks for your work on the Mason package registry. While we have seen the Shai-Hulud supply chain worm, I wondered how this kind of attack would impact the Mason ecosystem. As far as I understand the situation, updates from upstream sources gets merged by rennovate immediately and without any further inspection. Since Mason does not implement any sandboxing (as I understand), supply chain attacks on upstream sources are going to hit developer systems directly.
To mitigate supply chain attacks, I suggest to add some grace period for new versions of source packages. https://docs.renovatebot.com/configuration-options/#minimumreleaseage This would add some response time, if attacks like Shai-Hulud emerges.