Chris DeMars
@saltnburnem | π¦ @chrisdemars.net
Senior Developer Advocate
@saltnburnem
#DeveloperCommunity
@saltnburnem
#DeveloperCommunity
Shownotes
THE MEN IN BLACK KNOW WHAT'S IN YOUR JAVASCRIPT!!
π½πΈπ½πΈπ½πΈπ½πΈπ½πΈπ½πΈπ½
and how to fix it
β οΈ Trigger Warning β οΈ
@saltnburnem
Aliens, UFOs, UAPs
#DeveloperCommunity
What does this?
@saltnburnem
#DeveloperCommunity
Have to do with this?
@saltnburnem
#DeveloperCommunity
UNEXPLAINABLE
@saltnburnem
#DeveloperCommunity
How many dependencies does the average JS app have?
@saltnburnem
#DeveloperCommunity
npm ls @saltnburnem
#DeveloperCommunity
@saltnburnem
#DeveloperCommunity
Why not list all?
@saltnburnem
#DeveloperCommunity
npm ls -all@saltnburnem
#DeveloperCommunity
@saltnburnem
#DeveloperCommunity
Direct
@saltnburnem
#DeveloperCommunity
"dependencies": {
"react": "^19.0.0",
"react-dom": "^19.0.0",
"next": "15.3.4"
}@saltnburnem
#DeveloperCommunity
Transitive
@saltnburnem
#DeveloperCommunity
"dependencies": {
"@next/env": "15.3.4"
}@saltnburnem
#DeveloperCommunity
npm install ufo-tracker@saltnburnem
#DeveloperCommunity
"dependencies": {
"mib": "1.3.4"
}@saltnburnem
#DeveloperCommunity
@saltnburnem
#DeveloperCommunity
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Top of the Chain
@saltnburnem
Executive Order 14028
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
SBOM
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
SBOM
Software Bill of Materials
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
What is it?
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Transparency
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Disclosure
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Critical for two MAIN things:
π Security
β Compliance
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
6 Types of SBOMs
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Design
Source
Analyzed
Deployed
Build
Runtime
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
NOT a lock or package file
π«
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
BIG PROBLEM
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Typosquatting IS a thing!
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
One of these is NOT like the other!
npm i expressnpm i expres@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Increased requirements for SBOMs
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Client Trust Building
@saltnburnem
π½
Policy Reqs.
π½
Process for older solutions
π½
Storage system for SBOMs
π½
Accessibility to SBOMs
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Syft Install
Recommended
curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/binBrew
brew install syft@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
π Didn't forget about Windows!
Chocolatey
choco install syft -y@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
SPDX
&
CycloneDX
@saltnburnem
Two popular formats
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
Let's generate some SBOMs!
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
SBOM Security
@saltnburnem
Snyk
Grype
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
π½
Component Visibility
π½
Vulnerability Management
π½
Supply Chain Security
π½
Collaboration
π½
Compliance
Recap
@saltnburnem
#DeveloperCommunity
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
Why do we need it?
@saltnburnem
#DeveloperCommunity
Shownotes
Thanks!
@saltnburnem | π¦ @chrisdemars.net
RSAC (15) - Know Your JS: SBOMs for Frontend Devs
By Chris DeMars
