Open
Conversation
✅ Deploy Preview for ornate-narwhal-088216 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: angela-zhang <30538317+angela-zhang@users.noreply.github.com>
s-stumbo
approved these changes
Apr 20, 2026
mosabua
requested changes
Apr 20, 2026
| Repository provides. | ||
|
|
||
| However, if upstream fallback is not enabled or you prefer to manage your own fallback | ||
| ordering: you can configure `https://libraries.cgr.dev/javascript/` as a remote |
| * **After the cooldown period**: The package is checked against malware scanning. If it passes, it is proxied from the npm Registry. | ||
| * **Malware detected**: Any package version with a known malware identifier (MAL ID) is blocked and never served, whether it originates from Chainguard builds or the npm upstream. Malware scanning runs on all packages, including those proxied from npm. | ||
| * Malware scanning checks all packages against the Open Source Vulnerabilities (OSV) database, which includes the OpenSSF Malicious Packages feed among other sources. Any package version flagged with a malware identifier is blocked before it can be served. This covers reported malicious packages across the npm ecosystem; packages with unreported or novel malware may not be detected by scanning alone, which is why building from verified source remains the primary defense. No newline at end of file | ||
| * Malware scanning checks all packages against the [Open Source Vulnerabilities (OSV) database](https://osv.dev/), which includes the OpenSSF Malicious Packages feed among other sources. Any package version flagged with a known MAL ID is blocked before it can be served. This covers reported malicious packages across the npm ecosystem; packages with unreported or novel malware may not be detected by scanning alone, which is why building from verified source remains the primary defense. |
Member
There was a problem hiding this comment.
remove "before it can be served" .. that makes it sound like it might get served anyway eventually.
Also npm ecosystem. Packages .. however the logic in that last sentence does really make sense to me, and it also glosses over the fact that we dont scan code ourselves.. so the defense is just that malware source code is missing typically. But for example, what if it is loaded remotely and we dont detect the loader?
| * Malware scanning checks all packages against the Open Source Vulnerabilities (OSV) database, which includes the OpenSSF Malicious Packages feed among other sources. Any package version flagged with a malware identifier is blocked before it can be served. This covers reported malicious packages across the npm ecosystem; packages with unreported or novel malware may not be detected by scanning alone, which is why building from verified source remains the primary defense. No newline at end of file | ||
| * Malware scanning checks all packages against the [Open Source Vulnerabilities (OSV) database](https://osv.dev/), which includes the OpenSSF Malicious Packages feed among other sources. Any package version flagged with a known MAL ID is blocked before it can be served. This covers reported malicious packages across the npm ecosystem; packages with unreported or novel malware may not be detected by scanning alone, which is why building from verified source remains the primary defense. | ||
|
|
||
| > **Note**: Chainguard Repository for JavaScript is not a full mirror of npm. With fallback enabled, Chainguard does not guarantee that evey package and version on npm will be available. Packages can be delayed by cooldown or permanently blocked by malware policies. |
Member
There was a problem hiding this comment.
This is backwards.. we should point out that is is not a full mirror on purpose and why (no malware). That invalidates the whole talk about "guarantee"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.