Clarify upstream trust description in documentation#387
Open
ciaracarey wants to merge 1 commit intomainfrom
Open
Clarify upstream trust description in documentation#387ciaracarey wants to merge 1 commit intomainfrom
ciaracarey wants to merge 1 commit intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Upstream Trust documentation to broaden/clarify the threat model it claims to mitigate.
Changes:
- Expands the opening definition to mention “dependency confusion” in addition to “namesquatting”.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+6
to
7
| Upstream trust is a supply chain security feature that prevents dependency confusion or namesquatting attacks where bad actors hijack your internal package name in public repositories. By designating upstream sources as trusted or untrusted, you control which sources are permitted to serve versions of packages that exist in your private repository or other trusted sources. | ||
| This is particularly important for organizations that publish private packages alongside public open-source dependencies. Without upstream trust, a malicious actor could publish a package with the same name as your private package to a public registry, potentially tricking your build systems into pulling the attacker's version instead of your own. |
There was a problem hiding this comment.
The addition of “dependency confusion” here makes the description internally inconsistent: later in this document the feature is described only as namesquatting protection (e.g., “protected from namesquatting” and “protects against namesquatting”). Either update the rest of the page to consistently describe both threats (and distinguish them), or remove “dependency confusion” to avoid over-claiming / confusing readers. Also consider aligning the dependency confusion description with the definition used elsewhere in the docs (src/content/formats/python-repository.mdx around the Dependency confusion note).
Suggested change
| Upstream trust is a supply chain security feature that prevents dependency confusion or namesquatting attacks where bad actors hijack your internal package name in public repositories. By designating upstream sources as trusted or untrusted, you control which sources are permitted to serve versions of packages that exist in your private repository or other trusted sources. | |
| This is particularly important for organizations that publish private packages alongside public open-source dependencies. Without upstream trust, a malicious actor could publish a package with the same name as your private package to a public registry, potentially tricking your build systems into pulling the attacker's version instead of your own. | |
| Upstream trust is a supply chain security feature that protects against namesquatting attacks where bad actors publish packages using the same names as your internal packages in public repositories. By designating upstream sources as trusted or untrusted, you control which sources are permitted to serve versions of packages that exist in your private repository or other trusted sources. | |
| This is particularly important for organizations that publish private packages alongside public open-source dependencies. Without upstream trust, a malicious actor could publish a package with the same name as your private package to a public registry, potentially tricking your build systems into pulling the attacker's package instead of your own. |
|
|
||
| # Upstream Trust | ||
| Upstream trust is a supply chain security feature that prevents namesquatting attacks where bad actors hijack your internal package name in public repositories. By designating upstream sources as trusted or untrusted, you control which sources are permitted to serve versions of packages that exist in your private repository or other trusted sources. | ||
| Upstream trust is a supply chain security feature that prevents dependency confusion or namesquatting attacks where bad actors hijack your internal package name in public repositories. By designating upstream sources as trusted or untrusted, you control which sources are permitted to serve versions of packages that exist in your private repository or other trusted sources. |
Contributor
There was a problem hiding this comment.
I’d probably keep it scoped to namesquatting for now. Dependency confusion covers a few different attack vectors, and upstream trust only protects against namesquatting really.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.