Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow. That takes the lax attitude towards security in the NPM world to a whole new level.


To be fair to the proposal’s advocates and the person who posted the blog article which prompted it: they’re not wrong that npm audit is mostly irrelevant noise and actively harmful (incentivizes individuals to ignore meaningful security issues) because of that. Their proposal is just the wrong solution, and last I checked in they were too wedded to it.


npm audit is pretty damn meaningless at the moment. Creating a bog-standard react app with create-react-app (`npx create-react-app my-app`) right now results in

> 68 vulnerabilities (21 moderate, 45 high, 2 critical)

Even installing the latest npm itself (`npm install -g npm@8.1.1`) results in

> 3 moderate severity vulnerabilities


create-react-app made their own security problems by bringing in the entire world, npm audit just makes that clear.

npm itself having vulnerabilities is a more serious problem and it's not clear that they're taking it seriously.


I think security at NPM is "done".

It's a public repository of stuff. End of story. Why should NPM do the job of vetting everything? They aren't getting paid for it (or most of it).


> npm, Inc. is a company founded in 2014, and was acquired by GitHub in 2020.

https://www.npmjs.com/about

> Headquartered in California, [GitHub] has been a subsidiary of Microsoft since 2018.

https://en.wikipedia.org/wiki/GitHub

I think they're effectively a department that generates a lot of PR. They have paid security staff.

https://jobspresso.co/job/software-engineer-platform-2-2-2-2...

This is a job posting for a security engineer at npm from July 4, that appears filled to me. I'm sure as an organization npm inc. is aware of vulnerabilities in their core product, so there's internal back and forth - the usual stuff.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: