undefined | Better HN

0 pointsivan8884y ago0 comments

Code examples abound on Stack Overflow, GitHub Gist, blog posts, etc. These may contain direct URL dependencies.

Example guiding users to include a Maven dependency: https://www.baeldung.com/guava-mapmaker#map-maker

There is some degree of assurance that this dependency won't last long in the Maven central repo, or any other user configured repository, if it contained malicious code. Obviously it is not foolproof and incidents happen, but without a centralized authority for package management, there is much less assurance that a package is not malicious

0 comments

searchableguy4y ago

I find your concern valid.

Deno makes it easy to import from temporary places. However, this wouldn't be solved by having a centralized registry or a package manager like npm.

Npm can install from git repos and registries other than npmjs.

Having a package on npm by its own doesn't make it any less malicious.

A solution would be to enforce registries you can import from and fail if it's outside that.

j / k navigate · click thread line to collapse