minor updates

_posts/2025-06-07-package-managers.md

@@ -26,8 +26,8 @@ without revision, most individuals would say that that it isn't okay. When the
 same question arises about whether it's okay for millions of lines of code by
 hundreds or even thousands of developers from around the globe to introduce
 changes to a codebase, most companies shrug and say that they use Static
-Application Security Testing (SAST) - but we all know this doesn't address the
+Application Security Testing (SAST) and monitor - but we all know this doesn't
-issue, otherwise supply chain attacks would not be nearly as common.
+address the issue, otherwise supply chain attacks would not be nearly as common.
 
 ## SAST and Spiderman
 
@@ -68,6 +68,11 @@ this year so far:
 
 * June 5 2025: "One collection of PyPI packages is designed to "monkey patch" Solana key-generation methods by modifying relevant functions at runtime without making any changes to the original source code." [ref](https://web.archive.org/web/20250605205948/https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html)
 
+So next time when installing a package, consider what is being installed. The
+issue is that it's usually not just the top level dependency that will end up
+being installed - there are often many sub-dependencies, and package managers
+like npm will run the installation lifecycle scripts of each one.
+
 ## Who Wrote The Code?
 
 Package managers are open ecosystems with contributors from all over the world,
@@ -109,7 +114,8 @@ installation and during runtime resulting in complete compromise.
 * Not reviewing every line of code manually will inevitably lead to compromise
 given a long enough time horizon.
 
-* SAST is a feel good measure that is not sufficient for ensuring code security.
+* SAST/monitoring is a partial measure that is not sufficient for ensuring
+code security.
 
 * If it can be done with the standard language library, avoid adding
 dependencies.