Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm building a company in this area that looks like something similar. The goal is to provide a safer source for open source application dependencies that augments/replaces e.g. NPM.

We take open source dependencies and:

- Patch vulnerabilities, including in transitive dependencies, even for old or EoL versions that teams may be on

- Continuously vet new versions that are published for malware; and don't bring them into the registry if so

- Inline dependencies that don't need to be separate packages (e.g. fold in trim-newlines, a 1-line NPM package, into a parent package) to simplify dependency trees

This is then available to developers as a one line change to switch to in e.g. package.json. Once you switch, you no longer need to manually review packages or do any of this scanning/upgrading/vulnerability management work, since you can trust and set policies on the registry.

We're in the very early days and working with a few future-minded developers to get feedback on the design. If you're interested, I'd love to share more! Please email me at neil@syntra.io



Sounds interesting! But I work with Rust, so your project is outside of my direct area of interest.

If I am to suggest something, I think you should consider opening some parts of your product, e.g. you could publish your package reviews with an N-months delay and accept public reviews from the community with some vetting process on top.


That's a great point. We've been thinking through how we work with open source maintainers and the community to crowdsource reviews or usage information.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: