Chainguard, a company that provides a repository of trusted container images, has announced the launch of a new collection of trusted builds for JavaScript dependencies.
According to Chainguard, recent attacks against the JavaScript package manager npm have underscored the need for more secure mechanisms to consume JavaScript libraries. The company says that public registries do not vet libraries or ensure that the downloaded library matches the source code.
Chainguard Libraries for JavaScript include builds that are malware-resistant and built from source on SLSA L2 infrastructure, the company explained. This helps protect against malware injection at both the build and distribution links of the open source supply chain.
The collection integrates with popular artifact management systems, like JFrog Artifactory and Sonatype Nexus, so that developers can improve security while using familiar tools.
“We’re rebuilding every component we publish from source so organizations can mitigate malware, have clear visibility into what exactly is in their software, and eliminate the risk of hidden supply chain vulnerabilities,” said Patrick Donahue, SVP of product at Chainguard. “Ultimately, we’re providing a secure, trusted source of JavaScript libraries that allows enterprises to remove friction and add security without asking developers to change how they build and deploy software.”
Chainguard also has similar offerings for Java, containing over 55,000 JAR files, and Python, containing over 15,000 libraries. The company also says it is planning on building out similar ecosystems for other languages in the future.
