> Honest question, what can be done to address this type of issue?
It is hard.
* Minimize dependencies. This is a problem for small organizations that really don't want to rewrite the world.
* Encourage dependencies on organizations that you have trust relationships or contractual relationships with. It is way less likely (though not impossible) that some malicious code will end up in an apache package than some random npm package owned by an individual person.
* Audit dependency changes. At the very least, have systems that detect various known-dangerous APIs showing up in OSS dependencies.
* Make it somebody's job to keep 3rd party code in check. This means pulling updates, auditing updates, and retiring unnecessary dependencies. People at your company should be able to get promoted by saying "we reduced the number of warranty-free dependencies in our codebase by 50%."
It is hard.
* Minimize dependencies. This is a problem for small organizations that really don't want to rewrite the world.
* Encourage dependencies on organizations that you have trust relationships or contractual relationships with. It is way less likely (though not impossible) that some malicious code will end up in an apache package than some random npm package owned by an individual person.
* Audit dependency changes. At the very least, have systems that detect various known-dangerous APIs showing up in OSS dependencies.
* Make it somebody's job to keep 3rd party code in check. This means pulling updates, auditing updates, and retiring unnecessary dependencies. People at your company should be able to get promoted by saying "we reduced the number of warranty-free dependencies in our codebase by 50%."