Post details

We should all be using dependency cooldowns https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns #security #oss

Sun, 23 Nov 2025 09:21 by Jamie Tanna . #open-source #supply-chain-security #renovate #dependabot.

Bookmarked We should all be using dependency cooldowns

Post details

Sun, 23 Nov 2025 09:08 by Jamie Tanna . #open-source #supply-chain-security #renovate #dependabot.

Bookmark

Bookmarked Actions pull_request_target and environment branch protections changes - GitHub Changelog

Post details

GitHub is updating how GitHub Actions’ pull_request_target and environment branch protection rules are evaluated for pull-request-related events. These changes will take effect on 12/8/2025. They aim to reduce security critical…

Sat, 08 Nov 2025 08:59 by Jamie Tanna . #github #supply-chain-security.

Note

My first blog post on the #Mend blog is naturally all about #Renovate: Building a more secure npm ecosystem with Mend Renovate

This has been something we've been building up to for ~2 months of hard work making it as predictable as possible, highly documented and builds on top of ~6 years of Renovate having this functionality

Fri, 07 Nov 2025 10:44 by Jamie Tanna . #npm #supply-chain-security #mend #renovate.

Bookmark

Bookmarked Supply chain attacks are exploiting our assumptions

Post details

Supply chain attacks exploit fundamental trust assumptions in modern software development, from typosquatting to compromised build pipelines, while new defensive tools are emerging to make these trust relationships explicit and verifiable.

Thu, 06 Nov 2025 23:19 by Jamie Tanna . #supply-chain-security.

Article

Building a more secure npm ecosystem with Mend Renovate (5 mins read).

Discover how Mend Renovate 42 is strengthening npm ecosystem security with "minimum release age” enforcement and best-practice defaults.

Thu, 06 Nov 2025 21:13 by Jamie Tanna . #renovate #supply-chain-security #mend.

Liked https://www.synacktiv.com/publications/github-actions-exploitation-dependabot .

Wed, 29 Oct 2025 11:03 by Jamie Tanna . #dependabot #supply-chain-security.

Note

Off the back of the tj-actions/changed-files #SupplyChainSecurity attack, I've written up how you can use #DependencyManagementData to determine the impact across your org - already found it's been very useful 👀

Sat, 15 Mar 2025 14:48 by Jamie Tanna . #supply-chain-security #dependency-management-data.

Repost

Reposted Tane Piper ⁂ (@tanepiper@tane.codes)

Post details

#npm is 14 years old - 8 years ago I wrote a first proof of concept of a supply chain attack, Microsoft have owned it for 4 years and have done absolutely nothing to secure it. (That supply chain attack - https://github.com/tanepiper/steal-ur-stuff)

Tue, 05 Nov 2024 19:41 by Jamie Tanna . #security #supply-chain-security #npm.

Liked GitHub - woodruffw/zizmor: A tool for finding security issues in GitHub Actions setups.

Post details

A tool for finding security issues in GitHub Actions setups. - woodruffw/zizmor

Mon, 28 Oct 2024 07:46 by Jamie Tanna . #github-actions #security #supply-chain-security.

Liked You can’t fix issues if you can’t find them by Ben Cotton

Post details

Organizations often struggle to identify vulnerabilities and risks hidden within the layers of dependencies. Address it by using an holistic approach to software security.

Sat, 19 Oct 2024 07:29 by Jamie Tanna . #supply-chain-security.

Liked On Tech Debt: My Rust Library is now a CDO

Post details

Bringing the great successes of financial engineering to Rust.

Thu, 28 Mar 2024 10:45 by Jamie Tanna . #supply-chain-security.

Liked Software supply chain security: Broader than SolarWinds and Log4J

Post details

Everything you need to know about securing the software supply chain.

Mon, 18 Mar 2024 22:32 by Jamie Tanna . #supply-chain-security.

Liked https://www.softwaremaxims.com/blog/not-a-supplier .

Tue, 16 Jan 2024 17:08 by Jamie Tanna . #open-source #supply-chain-security.

Liked Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security by Kyle at CramHacks

Post details

Hey, do you know about supply chain security? ... You mean SBOMs?

Sat, 30 Dec 2023 14:27 by Jamie Tanna . #sbom #security #supply-chain-security.

Liked GitHub - safedep/vet: Tool to achieve policy driven vetting of open source dependencies

Post details

Tool to achieve policy driven vetting of open source dependencies - GitHub - safedep/vet: Tool to achieve policy driven vetting of open source dependencies

Sat, 30 Dec 2023 12:43 by Jamie Tanna . #security #supply-chain-security.

You're currently viewing page 1 of 1, of 16 posts.

Tag supply-chain-security