undefined | Better HN

0 pointswhatshisface7y ago0 comments

>NPM insecurity

NPM packages can contain malicious code. There's no NPM review process, and you can't point to specific versions to lock in your own reviews (package administrators can change whatever files they'd like). There's no such thing as a verified-safe dependencies list because the file you reviewed last month might not be downloaded today.

0 comments

efdee7y ago

You definitely can point to specific versions.

That being said, most package managers can contain malicious code and very few of them actually review their packages.

Besides, any company using NPM seriously probably has their own proxy in front of it, so there's no case of "the file might not be downloadable anymore" if that was already a problem with NPM itself.

s_y_n_t_a_x7y ago

>and you can't point to specific versions

Yes you can.

>no such thing as a verified-safe dependencies list

There are audits.

j / k navigate · click thread line to collapse