So the poster is mad about abusing dependency confusion and expects a big tech company to reward them blindly?
Do they not realize that most big tech companies have moved on to single feeds that are governed by their own security/inventory teams? Using public registry is an anti pattern now and has been for awhile, well before “dependency confusion”.
Not all package managers have implemented a stopgap to the problem either. I’m a bit disappointed to see this article though. The world runs on trust and we all trust that people won’t abuse known vectors for their own gain.
Do they not realize that most big tech companies have moved on to single feeds that are governed by their own security/inventory teams? Using public registry is an anti pattern now and has been for awhile, well before “dependency confusion”.
Not all package managers have implemented a stopgap to the problem either. I’m a bit disappointed to see this article though. The world runs on trust and we all trust that people won’t abuse known vectors for their own gain.