What are the best tools for hardening OSS against supply chain attacks?

Building open source via @frames, /open-frames to help Farcaster and decentralized social win. a16z CSX23. Side projects: farcasterchannels.com farcaster.id

thread https://x.com/brunobar79/status/1389724665338269701?s=46

Design and software at Apple. Also into AI, philosophy of mind, ethics.

✨ Founder + CEO Socket (socket.dev) • 🌲 Stanford lecturer (cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS • 🧙‍♂️ Mad scientist

I think the only real defense technically is to slow down updates, create test environments, and avoid pushing anything to the main branch within a two-week or longer time window.

Snyk is the only tool I've heard about https://snyk.io/series/software-supply-chain-security/attacks/

https://www.npmjs.com/package/audit-ci is nice, sharing more as I search