logoalt Hacker News

lesuoracyesterday at 7:19 PM2 repliesview on HN

To me this is asking the question of "what's the safest way to drink from a polluted river".

The answer is really, don't.

NPM and the JS eco-system has really gone down a path of zero security and they're paying the price for it.

If you really need libraries from NPM and whatnot, vendorize them so you're relying on known-safe files and don't arbitrarily update them without re-verification.

Replies

vedhantyesterday at 7:22 PM

This is true. Today its npm, tomorrow it could be some other language. Shouldnt we focus on solving it at the root?

samdoesnothingyesterday at 8:59 PM

Some of us need to drink from the river to eat :(