Dependency Firewall Single-Engineer Group

Dependency Firewall Single-Engineer Group

The Dependency Firewall SEG is a Single-Engineer Group within our Incubation Engineering Department.

We have an existing Dependency Firewall category which aims to prevent any unknown or unverified providers from introducing potential security vulnerabilities. This SEG will work closely with that group to accelerate the development of the Dependency Firewall feature, and integrate closely with the work taking place on the Dependency Proxy.

An initial MVP may be to implement NPM Audit with a UX that allows a user to specify an allow/deny list against criteria for the container registry. Criteria can include checking for missing author name, email, or look for the existance of specific licenses. We can also add rules to stop dependencies being downloaded immediately after an author change, as an example.

Following NPM, we can then iterate to look at other popular package managers such as Maven, Python, and Nuget.

Last modified January 24, 2024: Fix broken Single-Engineer Group links (59f64430)