Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
Vinnl
4y ago
0 comments
Save
Share
If there's a vulnerability in Webpack (a devDependency) that injects malicious code into your bundle, `npm prune --production` won't save you.
0 comments
2 comments · 1 top-level
top
newest
oldest
remram
4y ago
· 1 in thread
This is not a vulnerability (ie. security bug) it's an attack (ie. malicious).
Vinnl
OP
4y ago
It doesn't really matter how you call it; the problem is that there could be CVE's in your devDependencies that affect your production build, and pruning those dependencies after using them to create that build doesn't remove the risk.
j
/
k
navigate · click thread line to collapse
