New ask Hacker News story: NPM vs. Vendoring: Ready, Fight
NPM vs. Vendoring: Ready, Fight
3 by freddiemixell | 0 comments on Hacker News.
We all heard about the recent npm author/criminal who pushed code to attack websites and developers in Russia. As much as I think Russia is a wasteland of hateful people this was a very bad move. We as a community need to protect ourselves for when and if Russians strike back with an npm bug of their own. What is the solution? Do we vendor our node modules and manually update them checking for malicious code? I’m not sure that would have prevented the attack because the update was masked very well using array buffer. Are you preparing in any way for an attack to happen? Do you think vendoring is the solution? Do you think npm has a way forward that will restore confidence?
3 by freddiemixell | 0 comments on Hacker News.
We all heard about the recent npm author/criminal who pushed code to attack websites and developers in Russia. As much as I think Russia is a wasteland of hateful people this was a very bad move. We as a community need to protect ourselves for when and if Russians strike back with an npm bug of their own. What is the solution? Do we vendor our node modules and manually update them checking for malicious code? I’m not sure that would have prevented the attack because the update was masked very well using array buffer. Are you preparing in any way for an attack to happen? Do you think vendoring is the solution? Do you think npm has a way forward that will restore confidence?
Comments
Post a Comment