Security · 1h ago
Pre-install gate catches typosquatting SBOMs miss
A supply-chain gate checks package names against a vouched baseline before npm install, returning ALLOW or DENY. SBOMs and CVE scans run after install cannot detect typosquatted or hallucinated names. The tool, supply_chain_gate.py, uses edit-distance to flag one-letter-off names like 'expresss' as DENY.
Meridian48 take
The argument is sound but narrow: SBOMs are receipts, not guards; the real gap is that post-install scans miss pre-install risks like typosquatting or hallucinated packages.
Read the full reporting
An SBOM Proves What You Installed. It Can't Prove You Should Have. →
DEV Community
supply-chain-securitytyposquatting