Interesting. How long does it usually take for an attack to be identified and catalogued at OSV? Should this be used together with minimum release date?
I don't have the exact number for you, but what I observed was that it took a couple of hours for npm to remove some of the packages this week, even though an advisory was published
+ To be clear, this tool does not solve the problem if you are one of the first people to get infected; it minimizes your chance if you are the N-th person
Interesting. How long does it usually take for an attack to be identified and catalogued at OSV? Should this be used together with minimum release date?
I don't have the exact number for you, but what I observed was that it took a couple of hours for npm to remove some of the packages this week, even though an advisory was published
+ To be clear, this tool does not solve the problem if you are one of the first people to get infected; it minimizes your chance if you are the N-th person