Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
StavrosK
8y ago
0 comments
Save
Share
What's the alternative? Have the maintainer snail-mail you the packages?
0 comments
11 comments · 4 top-level
top
newest
oldest
vitaliyf
8y ago
· 7 in thread
You run a private NPM mirror where you copy dependencies that you rely on, after auditing them (for code quality and licensing).
fareesh
8y ago
Realistically if someone were to sneak something in, what kind of audit would you need to be able to catch it?
StavrosK
OP
8y ago
Wouldn't just pinning the hash of a package be a better solution?
tomjakubowski
8y ago
That’s probably fine from the security perspective, but the hash won’t make the package re-appear if it disappears out of nowhere. That’s the other benefit of a private/on-premesis mirror.
2 more replies
the_duke
8y ago
Easiest solution without infrastructure imo is to vendor node_modules as a git submodule.
(Of course it's even easier to just add node_modules to the repo but that is messy).
aabbcc1241
8y ago
and you better fork the git repo, otherwise the incident happening to npm can happen on github / whatever remote repo.
chris_7
8y ago
I don't know JS, but this sounds like a lot more work than just checking everything into your repo?
weinzierl
8y ago
This, or if you have the money there are companies that do that for you.
perlgeek
8y ago
Have a local mirror with the relevant packages, or a caching proxy.
MarkyC4
8y ago
create a mirror registry containing the packages you depend on
astrobe_
8y ago
Git or similar?
j
/
k
navigate · click thread line to collapse
