undefined | Better HN

0 pointscphoover4y ago0 comments

> The threat model you're talking about neither seems realistic, nor like something npm audit can help with. The attack vector of a contributor sneaking in malicious code is dealt with by only giving the commit bit to trusted people, and reviewing code yourself.

How is this not realistic when it has already been seen in the npm ecosystem multiple times. For an example of this in the wild see the event-stream (crypto-mining trojan) fiasco: https://github.com/dominictarr/event-stream/issues/116

Dependencies are a target for exploit, your package may be safe now and then become unsafe in the future, either intentionally or unintentionally.

0 comments

enumjorge4y ago

The problem is, if a security vulnerability snaked past the maintainers of a project, what hope do I have as someone who consumes the package to a) catch it b) know how to fix it?

cphooverOP4y ago

That's exactly the issue that npm-audit seeks to ameliorate. It's not perfect, but it's better than nothing.

j / k navigate · click thread line to collapse