How do you all go about validating that there’s nothing malicious in your nuget packages?

Is there a best practice for this?

It’s easy if the package is from a known source like Microsoft but I’m curious what you do for lesser know people?

I will usually see how many others are using it, probably scan the code in the GITHUB repo. Sometimes if it’s a lesser known dev I’ll just pull from GITHub rather than using NuGet.

Today however, I was looking at a package and the nuget package itself looks fine but it contains some C++ code that is compiled elsewhere…fine I’ll go get that and see. But that code requires CMake and some other 3rd party add-ons which I also have to review.

I’m not aware of any audits on NuGet that would prevent bad people from uploading code. What do you all do to protect the integrity of your software?

  • jvisick
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I only use packages that are from a reputable source and/or have a huge amount of downloads. It’s not a perfect system, but I’ve never had a problem so far.

    If the downloads are low and I’ve never heard of the author, either a) I don’t need it and can build a solution myself or b) it’s a niche package that’s small enough that I can audit it by skimming the GitHub repo.

    The normal common sense rules still apply - check for typos and any attempts to look like they’re a package or author that they’re not

    • bugsmithA
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Absolutely the same for me.

      I have never, to my recollection, needed a large but niche packet that isn’t either clearly reputable (wisdom of the masses) or verified by someone who’s reputation is crucial (e.g. Microsoft).

      I have on on many occasions used a small niche package though that was just a time saver. Something where I could either invest significant time in rolling my own solution out, or spend considerably less time checking out a small repo.