Since I just completed Developing Secure Software and got my certificate, I’ve been paying more attention to the security aspects of the process of developing software. This article about npm and PyPi security caught my eye.
The article describes a paper that evaluates the security practices for these widely used software repositories and finds them lacking. They do follow many of the best practices but fall short on some others. The number of packages that were found to have vulnerable patterns is less than 1%, but that doesn’t help you if you use one and get attacked.
Anyway, a good article and paper that is a word to the wise about evaluating and choosing public software packages.