alt Hacker NewsHow much do you want to bet me that the credential was stolen during the previous LiteLLM incident? At what point are we going to have to stop using these package managers because it's not secure? I've got to admit, it's got me nervous to use Python or Node.js these days, but it's really a universal problem.
Replies
crimsonnoodle58 • today at 5:20 AM
More like the Trivy incident (which led to the compromise of LiteLLM).
supernes • today at 6:06 AM
There are ways to limit the blast radius, like running them in ephemeral rootless containers with only the project files mounted.
> it’s got me nervous to use Python or Node.js these days
My feelings precisely. Min package age (supported in uv and all JS package managers) is nice but I still feel extremely hesitant to upgrade my deps or start a new project at the moment.
I don’t think this is going to stabilize any time soon, so figuring out how to handle potentially compromised deps is something we will all need to think about.