undefined | Better HN

0 pointsVinnl4y ago0 comments

If there's a vulnerability in Webpack (a devDependency) that injects malicious code into your bundle, `npm prune --production` won't save you.

0 comments

remram4y ago

This is not a vulnerability (ie. security bug) it's an attack (ie. malicious).

VinnlOP4y ago

It doesn't really matter how you call it; the problem is that there could be CVE's in your devDependencies that affect your production build, and pruning those dependencies after using them to create that build doesn't remove the risk.

j / k navigate · click thread line to collapse

0 pointsVinnl4y ago0 comments

If there's a vulnerability in Webpack (a devDependency) that injects malicious code into your bundle, `npm prune --production` won't save you.

0 comments

remram4y ago

This is not a vulnerability (ie. security bug) it's an attack (ie. malicious).

VinnlOP4y ago

j / k navigate · click thread line to collapse