Security

Supply-chain security: free-recall review

Crux Free-recall prompts across the supply-chain unit. Answer each in your own words first, then reveal the model answer and compare.

Your altitude — climbing toward senior

ZeroJuniorMiddleSenior

You are at senior altitude — in orbit

◷ 13 min

Retrieval beats re-reading. For each prompt, say or write a full answer from memory before you open the model answer — the effort of recall is what makes the material stick.

Goal

Reconstruct the unit’s core mechanisms — why the install step is the surface, what lockfiles and hashes do and miss, how confusion works, and what SBOM, provenance, and signing each answer — without looking back at the lesson.

Recall before you leave

01
Why is the install step — not your application code — the modern attack surface?
02
What does a lockfile with integrity hashes protect against, and what does it NOT?
03
Walk through a dependency-confusion attack and the layered defense.
04
What is an SBOM, and what question does it answer that a signature or provenance cannot?
05
Explain SLSA provenance and signed artifacts, and why xz-utils needed exactly this layer.
06
Order the supply-chain defenses from cheapest/most-immediate to most organizational, and justify the ordering.

Recap

If you could reconstruct each answer from memory, you hold the unit’s spine: the install step is the attack surface; lockfiles with hashes and npm ci guarantee you got the exact bytes but say nothing about how they were built; dependency confusion is a resolution-order bug fixed by precedence, not luck; SBOMs answer what is inside; and SLSA provenance plus Sigstore signing answer how it was built and whether it was tampered with — the layer xz needed and lockfiles missed. The defenses stack from one config line up to a hardened release pipeline.

Continue the climb ↑Supply-chain security: config and pipeline reading