> ## Documentation Index > Fetch the complete documentation index at: https://developer.upsun.com/llms.txt > Use this file to discover all available pages before exploring further. # Supply chain attacks in the AI era, and what to do about them > AI agents are reading code at scale, including your dependencies. Why supply chain risk just changed, plus a build-time fix to add on Upsun. export const PostMeta = ({data = {}}) => { const {author, date, image} = data; const authors = Array.isArray(author) ? author : author ? [author] : []; const resolveAuthor = slug => { const entry = AUTHOR_MAP[slug] || ({}); const name = entry.name || slug; const github = entry.github || null; const linkedin = entry.linkedin || null; const url = github ? `https://github.com/${github}` : linkedin || null; const avatarUrl = github ? `https://github.com/${github}.png?size=64` : null; return { name, url, avatarUrl }; }; const formattedDate = date ? new Date(date).toLocaleDateString('en-US', { year: 'numeric', month: 'long', day: 'numeric' }) : null; if (!image && authors.length === 0 && !formattedDate) return null; const AUTHOR_MAP = { "aaron-collier": { "name": "Aaron Collier" }, "aaron-dudenhofer": { "name": "Aaron Dudenhofer" }, "aaron-porter": { "name": "Aaron Porter" }, "adriaan-odendaal": { "name": "Adriaan Odendaal" }, "ajmal": { "name": "Ajmal Siddiqui" }, "akalipetis": { "name": "Antonis Kalipetis" }, "alexander-varwijk": { "name": "Alexander Varwijk" }, "alicia-bevilacqua": { "name": "Alicia Bevilacqua" }, "amelie-deguerry": { "name": "Amelie Deguerry" }, "anacidre": { "name": "Ana Cidre", "linkedin": "https://www.linkedin.com/in/ana-cidre" }, "andoni": { "name": "Andoni Auzmendi" }, "andrei-taranu": { "name": "Andrei (Alex) Taranu", "linkedin": "https://www.linkedin.com/in/andrei-alex-taranu/" }, "andrew-baxter": { "name": "Andrew Baxter" }, "andrew-melck": { "name": "Andrew Melck" }, "antoine-crochet-damais": { "name": "Antoine Crochet Damais" }, "augustin-delaporte": { "name": "Augustin Delaporte", "linkedin": "https://www.linkedin.com/in/augustindelaporte/" }, "branislav-bujisic": { "name": "Branislav Bujisic" }, "carl-smith": { "name": "Carl Smith" }, "caroline-leroy": { "name": "Caroline Leroy" }, "cati-mayer": { "name": "Cati Mayer" }, "catplat": { "name": "C Trinkwon" }, "ceelolulu": { "name": "Celeste van der Watt" }, "chadwcarlson": { "name": "Chad Carlson", "github": "chadwcarlson", "linkedin": "https://www.linkedin.com/in/chadwcarlson" }, "chris-ward": { "name": "Chris Ward" }, "chris-yates": { "name": "Chris Yates" }, "christian-sieber": { "name": "Christian Sieber" }, "christopher-lockheardt": { "name": "Christopher Lockheardt" }, "christopher-skene": { "name": "Christopher Skene" }, "chuck-morgan": { "name": "Chuck Morgan" }, "corey-dockendorf": { "name": "Corey Dockendorf" }, "crell": { "name": "Crell" }, "damz": { "name": "Damz" }, "dan-morrison": { "name": "Dan Morrison" }, "davidbonachera": { "name": "David Bonachera", "github": "davidbonachera", "linkedin": "https://www.linkedin.com/in/davidbonachera" }, "dereliahmet1": { "name": "Ahmet Faruk Dereli" }, "devicezero": { "name": "Jonas Kröger", "github": "devicezero", "linkedin": "https://www.linkedin.com/in/jonaskroeger/" }, "doug-goldberg": { "name": "Doug Goldberg" }, "duncan-naves": { "name": "Duncan Naves", "github": "duncannaves", "linkedin": "https://www.linkedin.com/in/duncan-naves-a94423aa" }, "erika-bustamante": { "name": "Erika Bustamante" }, "fabpot": { "name": "Fabien Potencier" }, "flovntp": { "name": "Florent Huck", "github": "flovntp", "linkedin": "https://www.linkedin.com/in/florenthuck" }, "fred-plais": { "name": "Fred Plais" }, "gauthier-garnier": { "name": "Gauthier Garnier" }, "gilzow": { "name": "Paul Gilzow" }, "gmoigneu": { "name": "Guillaume Moigneu", "github": "gmoigneu", "linkedin": "https://www.linkedin.com/in/guillaumemoigneu/" }, "gregqualls": { "name": "Greg Qualls" }, "guguss": { "name": "Augustin Delaporte" }, "haylee-millar": { "name": "Haylee Millar" }, "ivana-kotur": { "name": "Ivana Kotur" }, "jackrabbithanna": { "name": "Mark Hanna" }, "jared-wright": { "name": "Jared Wright", "github": "jww-sh", "linkedin": "https://www.linkedin.com/in/jaredwaynewright" }, "jessica-orozco": { "name": "Jessica Orozco" }, "joey-stanford": { "name": "Joey Stanford" }, "john-grubb": { "name": "John Grubb" }, "jonas-kruger": { "name": "Jonas Kruger" }, "kathryn-frazer": { "name": "Kathryn Frazer" }, "kemiojo": { "name": "Kemi Elizabeth Ojogbede" }, "kieronsambrook-smith": { "name": "Kieronsambrook Smith" }, "laurent-arnoud": { "name": "Laurent Arnoud" }, "letoya-boyne": { "name": "Letoya Boyne" }, "lolautruche": { "name": "Jérôme Vieilledent" }, "lyly-lepinay": { "name": "Lyly Lepinay" }, "manauwar-alam": { "name": "Manauwar Alam" }, "marc-antoine-porri": { "name": "Marc Antoine Porri" }, "maria-antinkaapo": { "name": "Maria Antinkaapo" }, "maria-de-anton": { "name": "Maria De Anton" }, "mark-dorison": { "name": "Mark Dorison" }, "markus-hausammann": { "name": "Markus Hausammann" }, "mary-thomas": { "name": "Mary Thomas" }, "mathias-bolt-lesniak": { "name": "Mathias Bolt Lesniak" }, "mathieu-strauch": { "name": "Mathieu Strauch" }, "matthias-van-woensel": { "name": "Matthias Van Woensel", "linkedin": "https://www.linkedin.com/in/matthias-van-woensel-267a069" }, "michael-sharp": { "name": "Michael Sharp" }, "mupsi": { "name": "Marine Gandy" }, "natalie-harper": { "name": "Natalie Harper" }, "ngommenginger": { "name": "Nicolas Gommenginger", "linkedin": "https://www.linkedin.com/in/nicolas-gommenginger" }, "nicholas-bennison": { "name": "Nicholas Bennison" }, "nicholas-vahalik": { "name": "Nicholas Vahalik" }, "nick-hardiman": { "name": "Nick Hardiman" }, "nickanderegg": { "name": "Nickanderegg" }, "nicolas-grekas": { "name": "Nicolas Grekas", "github": "nicolas-grekas", "linkedin": "https://www.linkedin.com/in/nicolasgrekas/" }, "niti-malwade": { "name": "Niti Malwade" }, "opensocialteam": { "name": "Opensocialteam" }, "ori-pekelman": { "name": "Ori Pekelman" }, "otavio-santana": { "name": "Otavio Santana" }, "palwandi": { "name": "Pawan Alwandi", "github": "pawpy", "linkedin": "https://www.linkedin.com/in/pawanalwandi" }, "patrick-boest": { "name": "Patrick Boest" }, "patrick-dawkins": { "name": "Patrick Dawkins", "github": "pjcdawkins", "linkedin": "https://www.linkedin.com/in/patrickdawkins" }, "patrick-klima": { "name": "Patrick Klima" }, "pjcdawkins": { "name": "Pjcdawkins" }, "prineet-kaurbhurji": { "name": "Prineet Kaurbhurji" }, "quentin-sinig": { "name": "Quentin Sinig" }, "ralt": { "name": "Florian Margaine", "github": "ralt", "linkedin": "https://www.linkedin.com/in/florian-margaine-43971136" }, "ramanathanramakrishnamurthy": { "name": "Ramanathanramakrishnamurthy" }, "remi-lejeune": { "name": "Rémi Lejeune" }, "ribel": { "name": "Taras Kruts" }, "robert-douglass": { "name": "Robert Douglass" }, "rudy-weber": { "name": "Rudy Weber" }, "ryan-hicks": { "name": "Ryan Hicks" }, "sabri-helal": { "name": "Sabri Helal" }, "savannah-bergeron": { "name": "Savannah Bergeron" }, "shannon-vettes": { "name": "Shannon Vettes" }, "shawn-ogasawara": { "name": "Shawn Ogasawara", "linkedin": "https://www.linkedin.com/in/shawn-ogasawara-83a9a0/" }, "shawna-spoor": { "name": "Shawna Spoor" }, "shedrack-akintayo": { "name": "Shedrack Akintayo" }, "simon-ruggier": { "name": "Simon Ruggier" }, "sophie-van-der-kindere": { "name": "Sophie Van Der Kindere" }, "stefanos-thampis": { "name": "Stefanos Thampis" }, "stephen-weinberg": { "name": "Stephen Weinberg" }, "sukhman-virk": { "name": "Sukhman Virk" }, "sumaira-nazir": { "name": "Sumaira Nazir" }, "sumer": { "name": "Sümer Cip" }, "syed-raza": { "name": "Syed Raza" }, "tamara-bacchia": { "name": "Tamara Bacchia" }, "tara-arnold": { "name": "Tara Arnold" }, "theosakamg": { "name": "Mickael Gaillard", "github": "theosakamg" }, "thomasdiluccio": { "name": "Thomas di Luccio" }, "tim-anderson": { "name": "Tim Anderson" }, "tom-helmer-hansen": { "name": "Tom Helmer Hansen" }, "tylermills": { "name": "Tyler Mills" }, "upsun": { "name": "Upsun" }, "veronika-tolkachova": { "name": "Veronika Tolkachova", "linkedin": "https://www.linkedin.com/in/veronika-tolkachova-169167a2" }, "vince-parker": { "name": "Vince Parker" }, "vinnie-russo": { "name": "Vincenzo Russo" }, "vrobert78": { "name": "Vincent Robert", "github": "vrobert78", "linkedin": "https://www.linkedin.com/in/vincent-robert-498a883" }, "yuriy-babenko": { "name": "Yuriy Babenko" }, "yuriy-gerasimov": { "name": "Yuriy Gerasimov" } }; return
{(authors.length > 0 || formattedDate) &&
{authors.length > 0 &&
{authors.map(slug => { const {name, url, avatarUrl} = resolveAuthor(slug); const inner = <> {avatarUrl && {name}} {name} ; return url ? {inner} : {inner}; })}
} {authors.length > 0 && formattedDate && } {formattedDate && {formattedDate}}
} {image && }
; }; AI agents are getting really good at reading code. Yours, your dependencies, the ones you forgot you depend on. The barrier to finding an exploitable bug in some random library 3 levels deep in your `package.json` keeps dropping. That's a problem if your strategy for supply chain security is "I'll patch when I hear about it". You won't hear about all of them, and you won't hear in time. This post is about one small, concrete thing you can do today: fail your Upsun deployment when a high-severity vulnerability shows up in your dependencies. The mechanism is the [build hook](/docs/configure-apps/image-properties/hooks#build-hook). This example uses [Snyk](https://snyk.io/), which has a free tier that's enough for this, but any equivalent scanner works the same way. It's not the whole answer. We'll get to that. But it's a real check that runs every time you push. ## Why build-time matters Dependency vulnerability scans usually live in 1 of 2 places: your CI pipeline, or your IDE. Both are fine, both are also avoidable. A developer can push a branch that skipped CI. A vulnerability database can publish a new advisory the day after your last green build. A build hook on Upsun runs on every deploy. If the scan fails, the deploy fails, and the new code never reaches an environment. That's a different posture from "we hope someone runs the scan". It's also the same hook your `npm install` already runs in, so the cost of adding it is tiny. ## Set up Snyk You'll need a Snyk account and an authentication token. The free plan is enough for this (capped at 200 scans per month though). Paid plans also scan your own application code, not only dependencies. Look at what each tier covers and pick what fits. 1. Sign up at [snyk.io](https://snyk.io/) and connect a personal account. 2. Generate a personal access token (PAT) from your account settings. 3. In Upsun, set the token as a project-level environment variable: ```bash theme={null} upsun variable:create --level project --name env:SNYK_TOKEN --value --visible-runtime false --sensitive true ``` The `env:` prefix exposes the value to your build container as a real environment variable. `--visible-runtime false` keeps it out of the runtime environment, since the build hook is the only place that needs it. `--sensitive true` hides the value in the Console and CLI output. ## Add the scan to the build hook Open your `.upsun/config.yaml` and add the scan to the `hooks.build` step: ```yaml .upsun/config.yaml theme={null} applications: app: type: "nodejs:20" hooks: build: | set -x -e npm install npx snyk test --all-projects --severity-threshold=high ``` A few things worth saying out loud: * `npx` is bundled with `npm`, which is bundled with the `nodejs` runtime. No separate install step. * `--all-projects` walks your repo and picks up every supported manifest it finds (`package-lock.json`, `requirements.txt`, `composer.lock`, and so on). * `--severity-threshold=high` is the lever that decides what counts as a deploy-blocking vulnerability. Drop it to `medium` if you want to be stricter, raise it to `critical` if you want to be quieter. * No explicit `snyk auth` call. The CLI picks up `SNYK_TOKEN` from the environment. If the scan finds something at or above the threshold, `snyk test` exits non-zero, `set -e` kills the build, and your deploy fails. That's the behavior you want. If you want to scan but not block (useful for the first week, while you triage what's already in there), append `|| true`: ```yaml theme={null} npx snyk test --all-projects --severity-threshold=high || true ``` That makes the scan informational. Less useful as a permanent setting. ## What this catches Push a deploy with a known-bad dependency and Snyk reports something like this in your build log: ``` Tested 89 dependencies for known issues, found 1 issue, 1 vulnerable path. Issues to fix by upgrading: Upgrade next@15.5.15 to next@16.1.5 to fix ✗ Allocation of Resources Without Limits or Throttling [High Severity] introduced by next@15.5.15 ``` The build fails. The activity in the Upsun console shows the failure. You bump `next`, push again, deploy succeeds. Boring. Boring is the goal. ## What this does not catch A build-time scan only tells you what was vulnerable when you deployed. The hook runs at deploy time, not continuously. New CVEs land all the time, and the dependency you shipped on Monday can have an advisory published on Wednesday. If you don't deploy in the meantime, your already-running production stays exposed until your next push. This check is necessary, not sufficient. You also want at least: * A scheduled scan against your production dependencies that notifies you when something new shows up. Snyk does this for projects you import into its dashboard. GitHub does it via Dependabot for repositories on GitHub. Pick whichever fits your setup. * A patching cadence. The scan finding a CVE only helps if someone actually upgrades the dependency. "We have alerts" without "we have an owner" is noise. * A view of your runtime stack, not only your application code. Base images, system packages, and runtime versions are part of your supply chain too. On Upsun, base images and system packages are bundled into the runtime versions themselves, and we [keep them hardened and patched](/posts/how-it-works/how-weve-been-hardening-containers-since-before-docker-made-it-cool). The build hook closes the door on shipping a known-bad version. Continuous monitoring catches the new known-bad versions of things you've already shipped. They're different jobs. ## Wrapping up If you do nothing else after reading this, add 3 lines to your build hook and 1 project variable. That alone blocks a real category of deploys, and it costs you maybe 10 minutes. Then set up the alerting side. The half of supply chain security that runs on a schedule is the half that protects you tomorrow.