logoalt Hacker News

tethayesterday at 6:00 PM1 replyview on HN

> But why would an npm token in angulartics2 have publication rights to tinycolor?

Imo, this is one of the most classical ways organizations get pwned: That one sin from your youth years ago comes to bite you in the butt.

We also had one of these years ago. It wasn't the modern stack everyone was working to scan and optimize and keep us secure that allowed someone to upload stuff to our servers. It was the editor that had been replaced years and years ago, and it's replacement had also been replaced, the way it was packaged wasn't seen by the build-time security scans, but eventually someone found it with a URL scan. Whoopsie.

Replies

Terr_yesterday at 6:41 PM

Thinking of biology, the reason often given for the disappearance of "unused" genes/base-pairs is that there's a metabolic cost to keeping them around and copying them on every cell division, so they vanish from a form of passive attrition.

I wonder if someday we'll find there's also a more active process, which resembles "remove old shit because it may contain security vulnerabilities."