How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.
Location
City of Bath, UK 🇬🇧
Education
10 plus years* active enterprise development experience and a Fine art degree 🎨
NPM is like wanting a banana and getting a jungle. It was stated in this post that vetting our dependencies is the only way.
If one brings 20 and 20 of those have 200 and those have 2000 dependencies well I'm not sure how many years I would need to check several files with potential for n hundred lines.
But then the only solution is automated checking as npm does (quite poorly depending who you ask), that is where we are right now. Automated checks are unfortunately retroactive, there has to be some victims the ensure the safety of the rest of us. Proactive human checking will always win as long as it's not a large job, I just don't think the pace of sprints tie nicely with this timeline.
It kinda is I'm afraid, yeah npm should have some responsability, but in the end it's up to us to understand how it works, and take messures to securize our applications as much as posible. But we can't do much apart from the solution presented in this post. Although that has it's drawbacks too, minor/patch version sometimes contain security fixes that would not be installed until we do it manually. We would need to be quite responsible and update our dependencies manually each couple of days to get access to those fixes. But we also would need to check what the updates are and check for insecure code... which in my opinion it's not posible (or at least not easy) for smaller teams.
How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.
Location
City of Bath, UK 🇬🇧
Education
10 plus years* active enterprise development experience and a Fine art degree 🎨
But this is not our fault.ðŸ˜
NPM is like wanting a banana and getting a jungle. It was stated in this post that vetting our dependencies is the only way.
If one brings 20 and 20 of those have 200 and those have 2000 dependencies well I'm not sure how many years I would need to check several files with potential for n hundred lines.
But then the only solution is automated checking as npm does (quite poorly depending who you ask), that is where we are right now. Automated checks are unfortunately retroactive, there has to be some victims the ensure the safety of the rest of us. Proactive human checking will always win as long as it's not a large job, I just don't think the pace of sprints tie nicely with this timeline.
It kinda is I'm afraid, yeah npm should have some responsability, but in the end it's up to us to understand how it works, and take messures to securize our applications as much as posible. But we can't do much apart from the solution presented in this post. Although that has it's drawbacks too, minor/patch version sometimes contain security fixes that would not be installed until we do it manually. We would need to be quite responsible and update our dependencies manually each couple of days to get access to those fixes. But we also would need to check what the updates are and check for insecure code... which in my opinion it's not posible (or at least not easy) for smaller teams.
So yeah, I guess we're screwed, damn...
Do your best I suppose it's all we can do. I know in truth it is down to us all to be sucure - thank you for the post Keff :)