undefined | Better HN

0 pointsMeetingsBrowser1mo ago0 comments

> There is 100% benefit in running that shit in a development environment.

Most of the recent supply chain attacks specifically target stealing secrets from development environments.

> But hey thanks for proving me right about the unhinged complaints.

I'm sorry if I'm upsetting you, but I am not complaining or trying to provoke you.

"Just check in the dependencies and review them" is not a revolutionary idea. It makes sense in many contexts.

But it is not practical in the overwhelming majority of contexts. React's last minor version bump included 100 files and ~5k changes. It also bumped the versions of 6 direct dependencies, which in turn bumped dependencies, etc.

It is not reasonable for a small (or even medium) team using react to manually review all of the changes and all the changes in react's transitive deps each time they need to update. The problem grows exponentially with all of the other common projects and libraries likely being used in a front end project(vite, react router, redux, vitest, etc).

pick a few non-trivial npm projects and try to audit all of the changes (for all transitive dependencies) for a few releases that bumped dependencies.

0 comments

3 comments · 1 top-level

stephenr1mo ago· 2 in thread

> Most of the recent supply chain attacks specifically target stealing secrets from development environments.

If your secrets in a dev environment can actually do any damage if leaked, you're doing something very fucking wrong.

> React's last minor version bump included 100 files and ~5k changes.

So you're choosing over engineered dependencies and then complaining they're too big.

Somehow I think the problem, as usual, started with the meat sack on the chair.

MeetingsBrowserOP1mo ago

I think we may be talking past each other at this point, but secrets from a dev env can be more valuable than secrets from a production env.

With things necessary for a dev env, like read/write access to source control, attackers can get access to internal data, and push malicious code that gets run in a prod env anyway.

If you want to make the claim that using react is an insane indefensible choice from a security standpoint, you are being idealistic at best.

Telling people not to use react does not help anyone, and that type of recommendation causes reputational damage to the security industry.

stephenr1mo ago

We are clearly talking about different things.

Access to source control is required on a developer workstation.

It is not required inside an application environment on that workstation (eg a VM or other such system that both provides a standard environment and creates separation)

I'm not making any claims about the security of react.

j / k navigate · click thread line to collapse