undefined | Better HN

0 pointsNathanKP10y ago0 comments

Solution:

1) Pin your packages to a specific version. If you aren't doing this already they you are in for a world of hurt when someone who doesn't know what they are doing releases a breaking package change on a minor version number.

2) Shrinkwrap your packages. Once again if you aren't already doing this then you npm install will probably break about once per three months when someone pushes a bad package to NPM.

3) Publish your NPM packages from an NPM in one vagrant development environment and run your code that installs from NPM in another vagrant development environment. If you have one shared environment then you are going to have other issues of which the small chance of an NPM worm is probably going to be the least of your worries.

0 comments

jjnoakes10y ago

You forgot (4): either never upgrade (missing out on security and bug fixes) or audit every update to every package which you are pulling down (which in node could be thousands)

I prefer sticking to curated sets of packages with groups of people focused on doing the auditing and security along side my due diligence. I get security updates, bug fixes, far fewer breaking changes, regular updates, reasonable assurance that code works together, and lower risk.

NPM has a lot to learn.

NathanKPOP10y ago

> curated sets of packages with groups of people focused on doing the auditing and security along side my due diligence

How does this differ from how NPM works? For example the set of packages that is utilized by Express is downloaded more than 5 million times per month. There are tons of eyes all over those packages.

Sure if you are installing sketchy packages that have 100 downloads a month you have to do a lot of auditing yourself, but when sticking to the core modules that are used in practically every node project you can benefit from the auditing being done by all the others who use those packages.

jjnoakes10y ago

I don't think there are eyes all over those packages though.

j / k navigate · click thread line to collapse

0 pointsNathanKP10y ago0 comments

Solution:

2) Shrinkwrap your packages. Once again if you aren't already doing this then you npm install will probably break about once per three months when someone pushes a bad package to NPM.

0 comments

jjnoakes10y ago

You forgot (4): either never upgrade (missing out on security and bug fixes) or audit every update to every package which you are pulling down (which in node could be thousands)

NPM has a lot to learn.

NathanKPOP10y ago

> curated sets of packages with groups of people focused on doing the auditing and security along side my due diligence

How does this differ from how NPM works? For example the set of packages that is utilized by Express is downloaded more than 5 million times per month. There are tons of eyes all over those packages.

jjnoakes10y ago

I don't think there are eyes all over those packages though.

j / k navigate · click thread line to collapse