Skip to content

Dependency Confusion

Spicy — senior dev territorySecurity

ELI5 — The Vibe Check

Dependency Confusion tricks package managers into downloading a malicious public package instead of your private one. If your company has 'mycompany-utils' internally, an attacker publishes 'mycompany-utils' on npm with a higher version. Your build grabs the evil one. Sneaky and devastating.

Real Talk

Dependency confusion exploits package manager resolution logic that prioritizes public registries over private ones. Attackers publish packages with the same name as internal packages but higher version numbers. Mitigations include scoped packages, registry pinning, and namespace reservation.

When You'll Hear This

"Dependency confusion is why we scope all internal packages as @company/package." / "Our .npmrc pins the registry for internal packages to prevent substitution."

Related Terms

npm

npm is like a vending machine for code. You say 'I want React' and it delivers React, plus React's 47 friends, plus their friends' friends.

beginnerGeneral Dev

SCA

SCA checks if the libraries you're using have known vulnerabilities. You didn't write the bug, but you imported it. That lodash version from 2019?

intermediateSecurity

Supply Chain Security

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

intermediateSecurity

Typosquatting

Typosquatting is when attackers publish malicious packages with names that are one typo away from popular ones. 'lodahs' instead of 'lodash.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.