DEV Community

Discussion on: Another Npm Package Is Highjacked and It's Your Fault That This Happened

Collapse
nombrekeff profile image
Keff

It kinda is I'm afraid, yeah npm should have some responsability, but in the end it's up to us to understand how it works, and take messures to securize our applications as much as posible. But we can't do much apart from the solution presented in this post. Although that has it's drawbacks too, minor/patch version sometimes contain security fixes that would not be installed until we do it manually. We would need to be quite responsible and update our dependencies manually each couple of days to get access to those fixes. But we also would need to check what the updates are and check for insecure code... which in my opinion it's not posible (or at least not easy) for smaller teams.

So yeah, I guess we're screwed, damn...

Collapse
adam_cyclones profile image
Adam Crockett

Do your best I suppose it's all we can do. I know in truth it is down to us all to be sucure - thank you for the post Keff :)