undefined | Better HN

story

0 pointsblueflow5mo ago0 comments

The same way it always has been done - vendor your deps.

0 comments

That literally makes no difference at all. You’ll just vendor the malicious versions. No, a lock file with only exact versions is the safe path here. We haven’t seen a compromise to existing versions that I know of, only patch/minor updates with new malicious code.

I maintain that the flexibility in npm package versions is the main issue here.

blueflowOP5mo ago

You are using the word "vendoring" differently than i do, i mean some kind of private fork of the repository.

joshstrange5mo ago

You are using the word differently than everyone else I think. I’ve never heard someone using that word to mean maintain private forks. Then again, even private forks don’t protect you much more than package lock files and they are way more overhead IMHO.

You still need some out-of-band process to pull upstream updates and aside from a built-in “cool down” (until you merge changes) I see that method as having a huge amount of downside.

Yes, you sidestep malicious versions pushed to npm but now you own the build process for all your dependencies and you have to find time to update (and fix builds if they break) all your dependencies.

Locking to a specific version and waiting some period of time (cool down) before updating is way easier and jus as safe IMHO.

1 more reply

sph5mo ago

To be fair this does only work in ecosystems where libraries are stable and don't break every 3 months as it often happens on the JS world.

You can vendor your left-pad, but good luck doing that with a third-party SDK.

CGamesPlay5mo ago

... you vendor the third-party SDK? Nobody worth working with is breaking their SaaS APIs with that cadence.

hu35mo ago

that's what I do whenever feasible. Which is often

j / k navigate · click thread line to collapse

0 comments

joshstrange5mo ago

I maintain that the flexibility in npm package versions is the main issue here.

blueflowOP5mo ago

You are using the word "vendoring" differently than i do, i mean some kind of private fork of the repository.

joshstrange5mo ago

You still need some out-of-band process to pull upstream updates and aside from a built-in “cool down” (until you merge changes) I see that method as having a huge amount of downside.

Locking to a specific version and waiting some period of time (cool down) before updating is way easier and jus as safe IMHO.

1 more reply

sph5mo ago

To be fair this does only work in ecosystems where libraries are stable and don't break every 3 months as it often happens on the JS world.

You can vendor your left-pad, but good luck doing that with a third-party SDK.

CGamesPlay5mo ago

... you vendor the third-party SDK? Nobody worth working with is breaking their SaaS APIs with that cadence.

hu35mo ago

that's what I do whenever feasible. Which is often

j / k navigate · click thread line to collapse