I don’t know about you, but the recent npm supply-chain attacks felt like some of us developers were asleep at the wheel. And if we stay awake long enough, we’ll probably see a Shai-Hulud-style attack in other package managers in the near future.

Shai-Hulud is a self-propagating worm inserted into the code of a new package version by attackers when they took over a maintainer’s npmjs.com account. Then every downstream app which used version ranges auto-ingested the problem.

So what’s a development team to do?

✅ Replace version ranges in package files with exact versions
✅ Rotate CI and API tokens (regularly)
✅ Enforce account-level MFA

And as of this week, teams can also ✅ use Metaport to identify applications with dependencies which use locked versions or ranges, across project portfolios.

If you lead a studio, agency, or an in-house delivery team, make this week the week you make some process changes.

Yes, locking versions means more work at upgrade time, but think of it as a revenue stream: Now is the ideal time to remind customers why they need a maintenance contract with you.

Humans are notoriously reactive; what’s “unforeseeable” often looks obvious in hindsight, which is just another reason why we built Metaport:

🔎 Search portfolios for packages declared as ranges.
🔊 Get notified in advance of EOL software.
🚀 Surface apps by dependency name + version in seconds.
🛡️ Understand which apps are affected by a CVE.

We’ve worked inside the same delivery teams as you. And maintenance still isn’t glamorous, but it is how teams keep velocity and credibility after the headlines and the urgency fade.

Check out Metaport at getmetaport.com and say hello to a free demo.