Dependency Substitution Issues

what are they? dependency substitutions, also known as dependency confusions, are a type of attack where bad actors learn about or guess a company's internal package naming convention and use this knowledge to publish malicious package versions to a public package registry often, this can lead to these substituted packages being installed on developer workstations, and potentially even being deployed refer to our article about package mask configurations docid\ lqfh 51nlqz7 xwxefwt1 to learn how to configure and protect against dependency substitution attacks how does it affect my code? if these malicious substituted packages are installed and/or deployed it can leave you, or your users, vulnerable to attacks such as remote code execution, data access, compromised systems, and more what can i do about it? to protect yourself from using substituted versions of your own internal packages, soos allows you to set a package mask which represents your internal package naming convention soos will then check every package coming from an external package registration to ensure it does not match your internal package naming, and will alert you if one exists