After more than a decade of development and releases, I received a notification of a security advisory in one of my open source projects. Once I got past the five stages of grief (denial, anger, bargaining, depression, and finally acceptance), I published the first Critical Vulnerability Exploit for any of my projects.

During this journey, I realized how little I understood about securing my packages as an author and my supply chain as a consumer. In this session, we'll walk look at both perspectives, from both an author and consumer. I'll show the ins ands outs of a mature security policy and how a security advisory works, from notification to publication. We'll look at common vulnerabilities, both in your code and in your packages.

As a consumer, I'll also show how you can secure your supply chain to stay ahead of vulnerabilities, beyond the vanilla Dependabot settings. Finally, we'll look at a proactive approach to ensure your systems stay secure without abandoning OSS altogether.