22
sariel
3y

No other language can do something as fucky as javascript.

"7 high severity vulnerabilities"
$> npm audit fix --force
"13 vulnerabilities (11 high, 2 critical)"

How is this fixed?!

It will be a great day when JS finally prolapses under the weight of its own hubris.

Comments
  • 1
    Having 3 vulnerabilities discovered yesterday is bad
    Having 1 vulnerability discovered in the 90s is worse.
  • 8
    Log4shell is pretty bad because any informed amateur hacker can pull it off. On the other hand, in 7th grade I took down my high school's server with SQL injection and it wasn't me because I was the first to think of it but rather because I was the first to find the vulnerability before thinking about the consequences.
  • 4
    To be honest, that is less js and more bad libraries.

    Was the fixed libraries recently released or had they been out for a while?

    Seems strange that bug fixes replace dependencies with new ones that are insecure, or was it other libraries that was upgraded to versions with vulnerabilities?
  • 1
    @Voxera to be honest there's nothing critical about this project since it's something personal I'm building.

    I'm sure it grew because the dependencies have exposures. It's just crazy to me that it jumped from 7 to 11+2.

    I rolled the "fix" back and moved on with my night.

    For me to actually fix it would probably take me longer than the time I'm willing to spend to make it work with the latest libraries. I say this because I'm sure that it wouldn't remove any of the existing vulnerabilities and would only waste my time.

    It's definitely made me rethink using npm in any future frontend projects in the future but choices are clearly limited.
  • 1
    @sariel The only winning move is not to play
  • 1
    @ostream You mean NodeJS vs. Deno?
  • 1
    @ostream Makes sense, I was just confused because you wrote "he made a new runtime" which implied for me that you meant NPM.
    Have you tried Deno yet? It's still on my list...
  • 0
    @ostream Merde 😄 I've never heard of MERN before but just looked it up.
  • 0
    It's not node is a barely functioning tool kit designed to make more work and fuck with you mean while

    Fucking lodash had remote vulnerabilities ! Lol
  • 0
    And what is that ? An array and deep copy manipulation module !
  • 0
    Btw
    I hate design patterns
    I think they reduce the joy of coding
Add Comment