How version diffing catches poisoned updates
Version diffing compares one release of an extension or package against the next and surfaces exactly what changed - new permissions, new endpoints, new code paths. It is how Extuno catches a benign project that was poisoned through its update channel.
Why diff versions instead of scanning once?
A one-time scan answers is this version bad today. It cannot catch the project that was clean when you adopted it and malicious three updates later. Diffing answers the question that actually matters for supply chain risk: what did this update change, and is any of it dangerous.
What does a version diff surface?
Band escalation across an update (clean to dangerous), newly added sensitive permissions or broadened host access, a new outbound or command-and-control endpoint, a weakened Content-Security-Policy, a new remote-code path, and new install-time behavior. Each delta carries the evidence behind it.
How does Extuno score a risky update?
Extuno reads each version statically and dynamically, computes the deltas, and raises an alert when the new version crosses from benign into dangerous. The score is transparent and explainable, and the headline signal is the band escalation an update introduces.