Package Manager CWEs
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Package manager CWEs are directly actionable for supply chain security, a key concern for developer tooling.
A cross-tool analysis of package manager CVEs identifies persistent failure modes: archive extraction path traversal (CWE-22/59, e.g., Zip Slip) and argument injection into VCS commands (CWE-88). These recur across twenty years because each new package manager reimplements the same flawed patterns—partial fixes for separators, symlinks, and backslash handling don't prevent repeats. Design-level risks like install scripts running as the user are excluded from CVEs but cause more real-world compromise.
Apply path resolution checks to all archive entries and VCS arguments, and treat design-level trust issues (e.g., install script privileges) as separate, higher-priority threat vectors not captured by CVEs.
As a senior engineer building agent orchestration and cloud infrastructure, you likely depend on package managers (pip, npm, etc.) for dependency management—understanding these recurrent failure modes helps you audit your toolchain and avoid repeat vulnerabilities in custom package-handling code.