Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do you prevent exposing yourself to supply chain attacks like the tj-actions/changed-files one [0] if you don't?

I get your question regarding scaling, but that's the job: you can choose to outsource code to 3rd-party libraries, and eternal vigilance is the trade-off.

Assume your 3rd-party dependencies will try to attack you at some point: they could be malicious; they could be hacked; they could be issued a secret court order; they could be corrupted; they could be beaten up until they pushed a change.

Unless you have some sort of contract or other legal protection and feel comfortable enforcing them, behave accordingly.

0: https://www.wiz.io/blog/github-action-tj-actions-changed-fil...



Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: