I spent some time looking at which open source packages have not been maintained or updated, and how depends on those packages. The answer is YOU :)
I really like this quick Reagent query as an example. There's three hundred and fifty Pip packages in the top 5000 Pip packages with no updates since 2020? Perfect for JiaTaning!
I'm not printing all of them because that's not great as a format for a blogpost, but if you want to know more, feel free to email me.
Of course, there's also dependencies to worry about. One Pip package can "Require" another Pip package, and we look at that with the below query:
72 packages at risk by packages not maintained since 2017. 525 if you look at packages not updated since 2020 - a full 10% of the total of the top 5000.
This is just looking at a small piece of the puzzle - but Pip is probably the most important repository and software source on the planet and we know it's often targeted by adversaries. Being able to predict where the next Jia Tan is targeting is important, but also quite easy with some simple Neo4j Queries on Reagent!
No comments:
Post a Comment