惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
博客园 - 【当耐特】
Microsoft Azure Blog
Microsoft Azure Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
Cloudbric
Cloudbric
The Register - Security
The Register - Security
小众软件
小众软件
PCI Perspectives
PCI Perspectives
G
Google Developers Blog
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
TaoSecurity Blog
TaoSecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
F
Full Disclosure
N
Netflix TechBlog - Medium
博客园_首页
Last Week in AI
Last Week in AI
A
Arctic Wolf
B
Blog RSS Feed
J
Java Code Geeks
C
Cybersecurity and Infrastructure Security Agency CISA
I
InfoQ
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
MyScale Blog
MyScale Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Jina AI
Jina AI
有赞技术团队
有赞技术团队
S
Schneier on Security
L
Lohrmann on Cybersecurity
P
Privacy & Cybersecurity Law Blog
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Security Latest
Security Latest
Vercel News
Vercel News
博客园 - 司徒正美
Webroot Blog
Webroot Blog
Hacker News: Ask HN
Hacker News: Ask HN
A
About on SuperTechFans

Obsidian Blog

Obsidian Sync audits by Cure53 and Trail of Bits The future of Obsidian plugins Obsidian October 2025 Obsidian is now free for work 2024 Gems of the year winners 2024 Gems of the year nominations Second audit of Obsidian apps completed by Cure53 Obsidian Softwear: new Fractal t-shirts and hoodies Save the web Obsidian October 2024 Obsidian Sync now starts at $4 per month with the new Standard plan Announcing JSON Canvas: an open file format for infinite canvas data 2023 Gems of the year winners New security page and independent audit completed by Cure53 2023 Gems of the year nominations New Obsidian Sync plans: bigger, better, faster, smoother Goodbye legacy editor Obsidian Importer now converts Apple Notes to portable, durable files Obsidian October 2023 Free your notes How to verify Obsidian Sync's end-to-end encryption The new Obsidian icon New developer documentation site Obsidian Publish now offers more for less: a lower price, with new features, improved SEO and accessibility 2022 Gems of the year winners I’m joining Obsidian full-time as CEO New Code of Conduct for our community 2022 Gems of the year nominations Obsidian October 2022 winners Obsidian October 2022 1.0 Theme migration guide How to update your plugin to support pop-out windows Plugin developers: CodeMirror 6 migration guide for v6.0 2021 Gems of the year winners Live Preview update 2021 Gems of the year nominations Obsidian October 2021 winners Obsidian October 2021: make plugins and themes together and win awards! Last chance to get early bird discount for Sync and Publish 2020 Gems of the year winners 2020 Gems of the year nominations
Less is safer: how Obsidian reduces the risk of supply chain attacks
licat · 2025-09-19 · via Obsidian Blog

Supply chain attacks are malicious updates that sneak into open source code used by many apps. Here’s how we design Obsidian to ensure that the app is a secure and private environment for your thoughts.

Less is safer

It may sound obvious but the primary way we reduce the risk of supply chain attacks is to avoid depending on third-party code. Obsidian has a low number of dependencies compared to other apps in our category. See a list of open source libraries on our Credits page.

Features like Bases and Canvas were implemented from scratch instead of importing off-the-shelf libraries. This gives us full control over what runs in Obsidian.

  • For small utility functions we almost always re-implement them in our code.
  • For medium modules we fork them and keep them inside our codebase if the licenses allows it.
  • For large libraries like pdf.js, Mermaid, and MathJax, we include known-good, version-locked files and only upgrade occasionally, or when security fixes land. We read release notes, look at upstream changes, and test thoroughly before switching.

This approach keeps our dependency graph shallow with few sub-dependencies. A smaller surface area lowers the chance of a malicious update slipping through.

What actually ships in the app

Only a handful of packages are part of the app you run, e.g. Electron, CodeMirror, moment.js. The other packages help us build the app and never ship to users, e.g. esbuild or eslint.

Version pinning and lockfiles

All dependencies are strictly version-pinned and committed with a lockfile. The lockfile is the source of truth for builds so we get deterministic installs. This gives us a straightforward audit trail when reviewing changes.

We do not run postinstall scripts. This prevents packages from executing arbitrary code during installation.

Slow, deliberate upgrades

When we do dependency updates, we:

  1. Read the dependency’s changelog line-by-line.
  2. Check sub-dependencies introduced by the new version.
  3. Diff upstream when the change set is large or risky.
  4. Run automated and manual tests across platforms and critical user paths.
  5. Commit the new lockfile only after these reviews pass.

In practice, we rarely update dependencies because they generally work and do not require frequent changes. When we do, we treat each change as if we were taking a new dependency.

Time is a buffer

We don’t rush upgrades. There is a delay between upgrading any dependency and pushing a release. That gap acts as an early-warning window: the community and security researchers often detect malicious versions quickly. By the time we’re ready to ship, the ecosystem has usually flagged any problematic releases.


No single measure can eliminate supply chain risk. But choosing fewer dependencies, shallow graphs, exact version pins, no postinstall, and a slow, review-heavy upgrade cadence together make Obsidian much less likely to be impacted, and give us a long window to detect problems before code reaches users.

If you’re curious about our broader approach to security, see our security page and past audits.