ansi-regex

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Some open source projects have a history of security lapses that culminated with a publication of one or more malicious component versions. To ensure that repeated supply chain incidents do not occur, the open source project should be closely monitored for up to two years. All software package versions that are published within two years of the malware incident will convey a warning about the history of security incidents tied to the open source project.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Some open source repositories allow the developers to take down software component versions that they have published. For open source projects, version unpublishing is uncommon. Versions are typically removed due to a security incident, such as malicious code tampering or accidental development secrets exposure. Software developers often prioritize taking down such packages before informing the community that they have experienced a security incident. Therefore, it is prudent to review the reasons behind software version removals as these events might be a signal of an ongoing software supply chain attack.