🔥 3-day streak
AWS Certified DevOps Engineer - Professional73 / 204
Question 73 of 204

A company uses AWS CodeArtifact as its internal package repository for a set of proprietary npm packages (published under the @company scope). The repository has npmjs.org configured as an upstream to fetch public dependencies. During a security review, the team discovers that an attacker could publish a malicious package to the public npm registry using the same name as an internal package that has not yet been published to CodeArtifact, causing builds to pull the attacker's version (a dependency confusion attack). What is the MOST effective way to prevent this while still allowing the repository to fetch legitimate public packages?

Reviewed for accuracy · Report an issueNext question