Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To me it doesn't really matter what is injected, as long as it's undisclosed in places people would look (NPM/Readme/Docs/etc), it's unacceptable


It's in the code. That's where people should look first and foremost in opensource dependencies. Otherwise how do you know you're not pulling in some horrible, bug ridden crap as a dependency? Most npm code has almost 0 documentation anyway.


If you expect a developer to review every line of code of every version of every module all the way down the NPM dependency tree then we can forget about anyone ever completing a project.

There are other solutions.


You don't need to review every line. Just general code quality, and search for obvious obfuscations/or things like these.


Simply instantiating a React project with `create-react-app` generates a lock file with over 1300 transitive dependencies:

    $ npx create-react-app sample-app
    $ cd sample-app
    $ cat package-lock.json | jq '.packages | length'
    1393
Expecting all developers (including those new to the field) to manually audit each and every one of these packages simply isn't feasible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: