On two levels: architecture and understanding. Architecture: I divide the solution components of my architecture into two groups: the ones where a security breach spills over their scope and the ones where it doesn't. For the first category (eg. network- or user-facing), dependencies will be limited as much as possible, meaning I'll forgo convenience and features. I'll pick LTS or older versions with no known vulnerabilities. The second category is locked up in containers with minimal connectivity, with on-demand run-time schedules. Understanding: depending on risk and importance, I actually check out a dependency's source code and have an AI review it. Then rebuild and self-host.

Edit: this approach sounds like it could be bundled into a couple of agents.

You can setup local proxy registry. set policy for the registry to set cool down period (7-14 days maybe). That will at least limit some of the blast radius

[flagged]