undefined | Better HN

0 pointsSahAssar6y ago0 comments

The part you leave out of that explanation is that for those files and folders there are 179 authors to trust for all future changes (including adding more authors via granting access to their repo or adding more deps).

Sure, you can do locking, but that does not go deep well, and also turns into a hell of trying to determine if every (for your use-case) pointless release of a sub-dep is worth updating to.

0 comments

marcus_holmes6y ago

This. am I really expected to review every change that 179 authors make to 242 packages?

And if I don't, am I responsible for the malicious code insertion, or is NPM going to take responsibility for that?

SahAssarOP6y ago

You are responsible for malicious code insertion either way.

If you delegate trust in any way, you are responsible for how that trust was (mis)used.

j / k navigate · click thread line to collapse