Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
C0D4669025yI'm still not seeing how relying on random packages is a good thing 🤦♂️
Open source != safe code. -
noder11985y@C0D4 Most part of nodejs apps are external packages taken from npm registry. So, there is always a risk of one of them messing up.
That being said, my lesson was to keep my packages always updated, as this vulnerability got introduced in a particular version. Even though the author issued an update immediately to fix it, I did not realize it and didn't upgrade my packages :( -
mindev5365y@C0D4 people are so stupid that they will use fucking libraries to add numbers, and add that as a dependency in their packages. Npm became a nightmare...
-
JS devs: pulling in tons of crap that nobody nowhere reviews even superficially.
Also JS devs: aaahhhhh some nasty shit got through this review process! -
What kind of reviews does boost get? I also don't check the libraries from Qt. My manager makes a lot of the decisions as to what libraries to use.
Genuinely curious.
Related Rants
security fiasco due to a malicious npm package:
Because of a bitcoin miner present in event-stream npm module (https://bleepingcomputer.com/news/...), my entire team and I had to scan all our nodejs apps, repos and the most excruciating one, all node_modules folders across all our dev machines and servers, to see if event-stream and flatmap-stream is present, then not just delete it but update a bu**load of upstream dependencies which internally used event-stream. All due to one malicious package which was hidden several layers beneath.
And, this happened almost 8 months after the aforesaid vulnerability was first found.
rant
npm
security